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Abstract 


A  logical  framework  and  its  implementation  should  serve  as  a  flexible  tool  for 
specifying,  simulating,  and  reasoning  about  formal  systems.  When  the  formal  sys¬ 
tems  we  are  interested  in  exhibit  state  and  concurrency,  however,  existing  logical 
frameworks  fall  short  of  this  goal.  Logical  frameworks  based  on  a  rewriting  inter¬ 
pretation  of  substructural  logics,  ordered  and  linear  logic  in  particular,  can  help.  To 
this  end,  this  dissertation  introduces  and  demonstrates  four  methodologies  for  devel¬ 
oping  and  using  substructural  logical  frameworks  for  specifying  and  reasoning  about 
stateful  and  concurrent  systems. 

Structural  focalization  is  a  synthesis  of  ideas  from  Andreoli’s  focused  sequent 
calculi  and  Watkins’s  hereditary  substitution.  We  can  use  structural  focalization  to 
take  a  logic  and  define  a  restricted  form  of  derivations,  the  focused  derivations,  that 
form  the  basis  of  a  logical  framework.  We  apply  this  methodology  to  define  SLS,  a 
logical  framework  for  substructural  logical  specifications,  as  a  fragment  of  ordered 
linear  lax  logic. 

Logical  correspondence  is  a  methodology  for  relating  and  inter-deriving  dif¬ 
ferent  styles  of  programming  language  specification  in  SLS.  The  styles  we  con¬ 
nect  range  from  very  high-level  specification  styles  like  natural  semantics,  which 
do  not  fully  specify  the  control  structure  of  programs,  to  low-level  specification 
styles  like  destination-passing,  which  provide  detailed  control  over  concurrency  and 
control  flow.  We  apply  this  methodology  to  systematically  synthesize  a  low-level 
destination-passing  semantics  for  a  Mini-ML  language  extended  with  stateful  and 
concurrent  primitives.  The  specification  is  mostly  high-level  except  for  the  relatively 
few  rules  that  actually  deal  with  concurrency. 

Linear  logical  approximation  is  a  methodology  for  deriving  program  analyses 
by  performing  abstract  analysis  on  the  SLS  encoding  of  the  language’s  operational 
semantics.  We  demonstrate  this  methodology  by  deriving  a  control  flow  analysis  and 
an  alias  analysis  from  suitable  programming  language  specifications. 

Generative  invariants  are  a  powerful  generalization  of  both  context-free  gram¬ 
mars  and  LF’s  regular  worlds  that  allow  us  to  express  invariants  of  SLS  specifica¬ 
tions  in  SLS.  We  show  that  generative  invariants  can  form  the  basis  of  progress-and- 
preservation- style  reasoning  about  programming  languages  encoded  in  SLS. 
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Chapter  1 
Introduction 


Suppose  you  find  yourself  in  possession  of 

*  a  calculator  of  unfamiliar  design,  or 

*  a  new  board  game,  or 

*  the  control  system  for  an  army  of  robots,  or 

*  an  implementation  of  a  security  protocol,  or 

*  the  interface  to  a  high-frequency  trading  system. 

The  fundamental  questions  are  the  same:  What  does  it  do?  What  are  the  rules  of  the  game?  The 
answer  to  this  question,  whether  it  comes  in  the  form  of  an  instruction  manual,  a  legal  document, 
or  an  ISO  standard,  is  a  specification. 

Specifications  must  be  formed,  because  any  room  for  misinterpretation  could  (respectively) 
lead  to  incorrect  calculations,  accusations  of  cheating,  a  robot  uprising,  a  security  breach,  or 
bankruptcy.  At  the  same  time,  specifications  must  be  clear :  while  clarity  is  in  the  eye  of  the 
beholder,  a  specification  that  one  finds  hopelessly  confusing  or  complex  is  no  more  useful  than 
one  that  is  hopelessly  vague.  Clarity  is  what  allows  us  to  communicate  with  each  other,  to  use 
specifications  to  gain  a  common  understanding  of  what  some  system  does  and  to  think  about  how 
that  system  might  be  changed.  Formality  is  what  allows  specifications  to  interact  with  the  world 
of  computers,  to  say  with  confidence  that  the  implementation  of  the  calculator  or  high-frequency 
trading  system  obeys  the  specification.  Formality  also  allows  specifications  to  interact  with  the 
world  of  mathematics,  and  this,  in  turn,  enables  us  to  make  precise  and  accurate  statements  about 
what  may  or  may  not  happen  to  a  given  system. 

The  specification  of  many  (too  many!)  critical  systems  still  remains  in  the  realm  of  English 
text,  and  the  inevitable  lack  of  formality  can  and  does  make  formal  reasoning  about  these  spec¬ 
ifications  difficult  or  impossible.  Notably,  this  is  true  about  most  of  the  programming  languages 
used  to  implement  our  calculators,  program  our  robot  army  control  systems,  enforce  our  security 
protocols,  and  interact  with  our  high-frequency  trading  systems.  In  the  last  decade,  however, 
we  have  finally  begun  to  see  the  emergence  of  operational  semantics  specifications  (the  “rules 
of  the  game”  for  a  programming  language)  for  real-world  programming  languages  that  are  truly 
formal.  A  notable  aspect  of  this  recent  work  is  that  the  formalization  effort  is  not  done  simply  for 
formalization’s  sake.  Ellison  and  Rogu’s  formal  semantics  of  C  can  be  used  to  check  individual 
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programs  for  undefined  behavior,  unsafe  situations  where  the  rules  of  the  game  no  longer  apply 
and  the  compiler  is  free  to  do  anything,  including  unleashing  the  robot  army  [ER12].  Lee,  Crary, 
and  Harper’s  formalization  of  Standard  ML  has  been  used  to  formally  prove  -  using  a  computer 
to  check  all  the  proof’s  formal  details  -  a  much  stronger  safety  property:  that  every  program 
accepted  by  the  compiler  is  free  of  undefined  behavior  [LCH07]. 

Mathematics,  by  contrast,  has  a  century-long  tradition  of  insisting  on  absolute  formality  (at 
least  in  principle:  practice  often  falls  far  short).  Over  time,  this  tradition  has  become  a  col¬ 
laboration  between  practicing  mathematicians  and  practicing  computer  scientists,  because  while 
humans  are  reasonable  judges  of  clarity,  computers  have  absolutely  superhuman  patience  when  it 
comes  to  checking  all  the  formal  details  of  an  argument.  One  aspect  of  this  collaboration  has  been 
the  development  of  logical  frameworks .  In  a  logical  framework,  the  language  of  specifications 
is  derived  from  the  language  of  logic,  which  gives  specifications  in  a  logical  framework  an  inde¬ 
pendent  meaning  based  on  the  logic  from  which  the  logical  framework  was  derived.  To  be  clear, 
the  language  of  logic  is  not  a  single,  unified  entity:  logics  are  formal  systems  that  satisfy  certain 
internal  coherence  properties,  and  we  study  many  of  them.  Lor  example,  the  logical  framework 
Coq  is  based  on  the  Calculus  of  Inductive  Constructions  [CoqlO],  the  logical  framework  Agda  is 
based  on  a  variant  of  Martin-Lof’s  type  theory  called  UTT s  [Nor07],  and  the  logical  framework 
Twelf  is  based  on  the  dependent  type  theory  An,  also  known  as  LL  [PS  99b].  Twelf  was  the  basis 
of  Lee,  Crary,  and  Harper’s  formalization  of  Standard  ML. 

Why  is  there  not  a  larger  tradition  of  formally  specifying  the  programming  languages  that 
people  actually  use?  Part  of  the  answer  is  that  most  languages  that  people  actually  use  have  lots 
of  features  -  like  mutable  state,  or  exception  handling,  or  synchronization  and  communication,  or 
lazy  evaluation  -  that  are  not  particularly  pleasant  to  specify  using  existing  logical  frameworks. 
Dealing  with  a  few  unpleasant  features  at  a  time  might  not  be  much  trouble,  but  the  combinations 
that  appear  in  actual  programming  languages  cause  formal  programming  language  specifications 
to  be  both  unclear  for  humans  to  read  and  inconvenient  for  formal  tools  to  manipulate.  A  more 
precise  statement  is  that  the  addition  of  the  aforementioned  features  is  non-modular,  because 
handling  a  new  feature  requires  reconsidering  and  revising  the  rest  of  the  specification.  Some 
headway  on  this  problem  has  been  made  by  frameworks  like  the  K  semantic  framework  that 
are  formal  but  not  logically  derived;  the  K  semantic  framework  is  based  on  a  formal  system 
of  rewriting  rules  [R§10].  Ellison  and  Ro§u’s  formalization  of  C  was  done  in  the  K  semantic 
framework. 

This  dissertation  considers  the  specification  of  systems,  particularly  programming  languages, 
in  logical  frameworks.  We  consider  a  particular  family  of  logics,  called  substructural  logics , 
in  which  logical  propositions  can  be  given  an  interpretation  as  rewriting  rules  as  detailed  by 
Cervesato  and  Scedrov  [CS09].  We  seek  to  support  the  following: 

Thesis  Statement:  Logical  frameworks  based  on  a  rewriting  interpretation  of  sub - 
structural  logics  are  suitable  for  modular  specification  of  programming  languages 
and  formal  reasoning  about  their  properties .' 

Part  I  of  the  dissertation  covers  the  design  of  logical  frameworks  that  support  this  rewriting 
interpretation  and  the  design  of  the  logical  framework  SLS  in  particular.  Part  II  considers  the 

'The  original  thesis  proposal  used  the  phrase  “forward  reasoning  in  substructural  logics”  instead  of  the  phrase 
“a  rewriting  interpretation  of  substructural  logics,”  but  these  are  synonymous,  as  discussed  in  Section  4.6. 
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Figure  1.1:  Series  of  PDA  transitions 

modular  specification  of  programming  language  features  in  SLS  and  the  methodology  by  which 
we  organize  and  relate  styles  of  specification.  Part  III  discusses  formal  reasoning  about  properties 
of  SLS  specifications,  with  an  emphasis  on  establishing  invariants. 

1.1  Logical  frameworks 

Many  interesting  stateful  systems  have  a  natural  notion  of  ordering  that  is  fundamental  to  their 
behavior.  A  very  simple  example  is  a  push-down  automaton  (PDA)  that  reads  a  string  of  symbols 
left-to-right  while  maintaining  and  manipulating  a  separate  stack  of  symbols.  We  can  represent 
a  PDA’s  internal  configuration  as  a  sequence  with  three  regions: 

[  the  stack  ]  [  the  head  ]  [  the  string  being  read  ] 

where  the  symbols  closest  to  the  head  are  the  top  of  the  stack  and  the  symbol  waiting  to  be  read 
from  the  string.  If  we  represent  the  head  as  a  token  hd,  we  can  describe  the  behavior  (the  rules 
of  the  game)  for  the  PDA  that  checks  a  string  for  correct  nesting  of  angle  braces  by  using  two 
rewriting  rules: 


hd  <  <  hd  (push) 

<  hd  >  hd  (pop) 

The  distinguishing  feature  of  these  rewriting  rules  is  that  they  are  local  -  they  do  not  mention 
the  entire  stack  or  the  entire  string,  just  the  relevant  fragment  at  the  beginning  of  the  string  and 
the  top  of  the  stack.  Execution  of  the  PDA  on  a  particular  string  of  tokens  then  consists  of  (1) 
appending  the  token  hd  to  the  beginning  of  the  string,  (2)  repeatedly  performing  rewritings  until 
no  more  rewrites  are  possible,  and  (3)  checking  to  see  if  only  a  single  token  hd  remains.  One 
possible  series  of  transitions  that  this  rewriting  system  can  take  is  shown  in  Figure  1.1 

Because  our  goal  is  to  use  a  framework  that  is  both  simple  and  logically  motivated,  we  turn 
to  a  substructural  logic  called  ordered  logic ,  a  fragment  of  which  was  originally  proposed  by 
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Lambek  for  applications  in  computational  linguistics  [Lam58].  In  ordered  logic,  hypotheses  are 
ordered  relative  to  one  another  and  cannot  be  rearranged.  The  rewriting  rules  we  considered 
above  can  be  expressed  as  propositions  in  ordered  logic,  where  the  tokens  hd,  >,  and  <  are  all 
treated  as  atomic  propositions'. 


push  :  hd  •  <  {<  •  hd} 

pop  :  <  •  hd  •  >  ^>  {hd} 

The  symbol  •  (pronounced  “fuse”)  is  the  binary  connective  for  ordered  conjunction  (i.e.  con¬ 
catenation);  it  binds  more  tightly  than  a  binary  connective  for  ordered  implication.  The  curly 
braces  {. . .}  can  be  ignored  for  now. 

The  propositional  fragment  of  ordered  logic  is  Turing  complete:  it  is  in  fact  a  simple  exercise 
to  specify  a  Turing  machine!  Nevertheless,  first-order  quantification  helps  us  write  specifications 
that  are  short  and  clear.  For  example,  by  using  first-order  quantification  we  can  describe  a  a  more 
general  push-down  automaton  in  a  generic  way.  In  this  generic  specification,  we  use  left(X) 
and  right(X)  to  describe  left  and  right  angle  braces  (A"  =  an),  square  braces  ( X  =  sq),  and 
parentheses  (A  =  pa).  The  string  [  <  >  ([])]  is  then  represented  by  the  following  sequence  of 
ordered  atomic  propositions: 

left(sq)  left(an)  right(an)  left(pa)  left(sq)  right(sq)  right(pa)  right(sq) 

The  following  rules  describe  the  more  general  push-down  automaton: 

push  :  Vx.  hd  •  left(x)  >— *  {stack(x)  •  hd} 
pop:  Vx.  stack(x)  •  hd  •  right(x)  >— ►  {hd} 

(This  specification  would  still  be  possible  in  propositional  ordered  logic;  we  would  just  need  one 
copy  of  the  push  rule  and  one  copy  of  the  pop  rule  for  each  pair  of  braces.)  Note  that  while 
we  use  the  fuse  connective  to  indicate  adjacent  tokens  in  the  rules  above,  no  fuses  appear  in 
Figure  1.1.  That  is  because  the  intermediate  states  are  not  propositions  in  the  same  way  rules  are 
propositions.  Rather,  the  intermediate  states  in  Figure  1.1  are  contexts  in  ordered  logic,  which 
we  will  refer  to  as  process  states. 

The  most  distinctive  characteristic  of  these  transition  systems  is  that  the  intermediate  stages 
of  computation  are  encoded  in  the  structure  of  a  substructural  context  (a  process  state).  This 
general  idea  dates  back  to  Miller  [Mil93]  and  his  Ph.D.  student  Chirimar  [Chi95],  who  encoded 
the  intermediate  states  of  a  7r-calculus  and  of  a  low-level  RISC  machine  (respectively)  as  contexts 
in  focused  classical  linear  logic.  Part  I  of  this  dissertation  is  concerned  with  the  design  of  logical 
frameworks  for  specifying  transition  systems.  In  this  respect,  Part  I  follows  in  the  footsteps  of 
Miller’s  Forum  [Mil96],  Cervesato  and  Scedrov’s  multiset  rewriting  language  u>  [CS09],  and 
Watkins  et  al.’s  CLF  [WCPW02], 

As  an  extension  to  CLF,  the  logical  framework  we  develop  is  able  to  specify  systems  like  the 
7r-calculus,  security  protocols,  and  Petri  nets  that  can  be  encoded  in  CLF  [CPWW02].  The  ad¬ 
dition  of  ordered  logic  allows  us  to  easily  incorporate  specifications  that  are  naturally  expressed 
as  string  rewriting  systems.  An  example  from  the  verification  domain,  taken  from  Bouajjani  and 
Esparza  [BE06],  is  shown  in  Figure  1.2.  The  left-hand  side  of  the  figure  is  a  simple  Boolean 
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bool  function  foo(l) 

f0:  if /then 

fi:  return  ff 

else 

f2:  return  tt 

fi 


(b)  <tt,f0)  ->•  (6)(tt,fi) 

(b)( fF,f0)  -)•  (6)  <fF,  f2) 
(b)(lh)  (ff) 
(fe)(/,f2)  (tt) 


V6.  gl(fe)  •  foo(tt,  f0)  >— > 

{gl(6)  •foo(tt,fi)} 

Mb.  gl(fe)  •  foo(ff,  f0)  >— > 

(gl(6)  •foo(ff,fi)} 

Mb.  gl(6)  •  foo(Z,  fi)  >-►  {gl(ff)} 

V6.  gl (6)  •foo(/,f2)  >-»  (gl(tt)} 


procedure  mainQ 
global  b 

m0:  while&do 

mi:  b  f 00(b) 

od 

m2:  return 


(tt)  (m0)  ->  (tt)(mi) 

(ff)  (m0)  ->  (ff)  (m2) 

(b)  (mi)  ->•  (6)  (6,f0)  (m0) 
(b)  (m2)  ->■  e 


gl(tt)  •  main(m0)  >— > 

{gl(tt)  •  main(mi)} 

gl(ff)  •  main(m0)  >— > 

(gl(tt)  •  main(m2)} 

Mb.g\(b)  •  main(m!)  >— > 

{gl(6)  •  foo(6, f0)  •  main(m0)} 

Mb.g\(b)  •  main(m2)  >— »•  {1} 


Figure  1.2:  A  Boolean  program,  encoded  as  a  rewriting  system  and  in  SLS 


program:  the  procedure  foo  has  one  local  variable  and  the  procedure  main  has  no  local  variables 
but  mentions  a  global  variable  b.  Bouajjani  and  Esparza  represented  Boolean  programs  like  this 
one  as  canonical  systems  like  the  one  shown  in  the  middle  of  Figure  1.2.  Canonical  systems  are 
rewriting  systems  where  only  the  left-most  tokens  are  ever  rewritten:  the  left-most  token  in  this 
canonical  system  always  has  the  form  (b),  where  b  is  either  true  (tt)  or  false  (ff),  representing 
the  valuation  of  the  global  variables  -  there  is  only  one,  b.  The  token  to  the  right  of  the  global 
variables  contains  the  current  program  counter  and  the  value  of  the  current  local  variables.  The 
token  to  the  right  of  that  contains  the  program  counter  and  local  variables  of  the  calling  proce¬ 
dure,  and  so  on,  forming  a  call  stack  that  grows  off  to  the  right  (in  contrast  to  the  PDA’s  stack, 
which  grew  off  to  the  left).  Canonical  systems  can  be  directly  represented  in  ordered  logic,  as 
shown  on  the  right-hand  side  of  Figure  1.2.  The  atomic  proposition  gl(fr)  contains  the  global 
variables  (versus  (b)  in  the  middle  column),  the  atomic  proposition  foo(Z,  /)  contains  the  local 
variables  and  program  counter  within  the  procedure  foo  (versus  (/,  /)  in  the  middle  column),  and 
the  atomic  proposition  main(m)  contains  the  program  counter  within  the  procedure  main  (versus 
(m)  in  the  middle  column). 

The  development  of  SFS,  a  CFF-like  framework  of  substructural  logical  specifications  that 
includes  an  intrinsic  notion  of  order,  is  a  significant  development  of  Part  I  of  the  dissertation. 
However,  the  principal  contribution  of  these  three  chapters  is  the  development  of  structural  fo- 
calization,  which  unifies  Andreoli’s  work  on  focused  logics  [And92]  with  the  hereditary  substi¬ 
tution  technique  that  Watkins  developed  in  the  context  of  CFF  [WCPW02].  Chapter  2  explains 
structural  focalization  in  the  context  of  linear  logic,  Chapter  3  establishes  focalization  for  a  richer 
substructural  logic  OF3,  and  Chapter  4  takes  focused  OF3  and  carves  out  the  SFS  framework  as 
a  fragment  of  the  focused  logic. 
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1.2  Substructural  operational  semantics 


Existing  logical  frameworks  are  perfectly  capable  of  representing  simple  systems  like  PDAs,  and 
while  applications  in  the  verification  domain  like  the  rewriting  semantics  of  Boolean  programs 
are  an  interesting  application  of  SLS,  they  will  not  be  a  focus  of  this  dissertation.  Instead,  in 
Part  II,  we  will  concentrate  on  specifying  the  operational  semantics  of  programming  languages 
in  SLS.  We  can  represent  operational  semantics  in  SLS  in  many  ways,  but  we  are  particularly 
interested  in  a  broad  specification  style  called  substructural  operational  semantics ,  or  SSOS 
[Pfe04,  PS09].2  SSOS  is  a  synthesis  of  structural  operational  semantics,  abstract  machines,  and 
logical  specifications. 

One  of  our  running  examples  will  be  a  call-by-value  operational  semantics  for  the  untyped 
lambda  calculus,  defined  by  the  BNL  grammar: 

e  ::=  x  \  Xx.e  \  e\  e2 

Taking  some  liberties  with  our  representation  of  terms,3  we  can  describe  call-by-value  evaluation 
for  this  language  with  the  same  rewriting  rules  we  used  to  describe  the  PDA  and  the  Boolean 
program’s  semantics.  Our  specification  uses  three  atomic  propositions:  one,  eval(e),  carries  an 
unevaluated  expression  e,  and  another,  retn(w),  carries  an  evaluated  value  v.  The  third  atomic 
proposition,  cont (/),  contains  a  continuation  frame  f  that  represents  some  partially  evaluated 
value:  /  =  □  e2  contains  an  expression  e2  waiting  on  the  evaluation  of  e\  to  a  value,  and  /  = 
(Xx.e)  □  contains  an  function  Xx.e  waiting  on  the  evaluation  of  e2  to  a  value.  These  frames  are 
arranged  in  a  stack  that  grows  off  to  the  right  (like  the  Boolean  program’s  stack). 

The  evaluation  of  a  function  is  simple,  as  a  function  is  already  a  fully  evaluated  value,  so  we 
replace  eval(Ax.e)  in-place  with  retn(Aic.e): 

ev/lam  :  eval  (Xx.e)  >— >  {retn  (Ax.e)} 

The  evaluation  of  an  application  e\  e2,  on  the  other  hand,  requires  us  to  push  a  new  element  onto 
the  stack.  We  evaluate  e  \  e2  by  evaluating  e\  and  leaving  behind  a  frame  □  e2  that  suspends  the 
argument  e2  while  e\  is  being  evaluated  to  a  value. 

ev/app  :  eval  (e\  e2)  >— >  (eval  (ei)  •  cont  (□  e2)} 

When  a  function  is  returned  to  a  waiting  □  e2  frame,  we  switch  to  evaluating  the  function  argu¬ 
ment  while  storing  the  returned  function  in  a  frame  (Xx.e)  □. 

ev/appl  :  retn  (Xx.e)  •  cont  (□  e2)  {eval  (e2)  •  cont  ((Xx.e)  □)} 

Linally,  when  an  evaluated  function  argument  is  returned  to  the  waiting  (Xx.e)  □  frame,  we 
substitute  the  value  into  the  body  of  the  function  and  evaluate  the  result. 

ev/app2  :  retn  (v2)  •  cont  ((Xx.e)  □)  >— >  {eval  ([v2/x\e)} 
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eval  ((Az.x)  ((A y.y)  (A z.e))) 
eval  (Xx.x)  cont  (□  ((Xy.y)  (Xz.e))) 
retn  (Xx.x)  cont  (□  ((Xy.y)  (Xz.e))) 


(by  rule  ev/app) 
(by  rule  ev/lam) 
(by  rule  ev/appl) 


eva 

1  ((A y.y)  (A z.e)) 

cont  ((Xx.x)  □) 

(by  rule  ev/app) 

eval 

(A  y.y) 

cont  (□  (Xz.e)) 

cont  ((Xx.x)  □) 

/W 

(by  rule  ev/lam) 

retn 

(A  y.y) 

cont  (□  (Xz.e)) 

cont  ((Xx.x)  □) 

(by  rule  ev/appl) 

eval 

(A  z.e) 

cont  ((A y.y)  □) 

cont  ((Xx.x)  □) 

(by  rule  ev/lam) 

retn 

(A  z.e) 

cont  ((Xy.y)  □) 

cont  ((Xx.x)  □) 

/W 

(by  rule  ev/app2) 

eval  (Xz.e) 

cont  ((Xx.x)  □) 

(by  rule  ev/lam) 

retn  (Xz.e) 

cont  ((Xx.x)  □) 

(by  rule  ev/app2) 

eval (Xz.e) 

/W 

(by  rule  ev/lam) 

retn  (Xz.e) 

-h 

Figure  1.3:  SSOS  evaluation  of  an  expression  to  a  value 


These  four  rules  constitute  an  SSOS  specification  of  call-by-value  evaluation;  an  example  of 
evaluating  the  expression  (Xx.x)  ((A y.y)  (Xz.e))  to  a  value  under  this  specification  is  given  in 
Figure  1.3.  Again,  each  intermediate  state  is  represented  by  a  process  state  or  ordered  context. 

The  SLS  framework  admits  many  styles  of  specification.  The  SSOS  specification  above 
resides  in  the  concurrent  fragment  of  SLS.  (This  rewriting-like  fragment  is  called  concurrent 
because  rewriting  specifications  are  naturally  concurrent  -  we  can  just  as  easily  seed  the  process 
state  with  two  propositions  eval(e)  and  eval(e')  that  will  evaluate  to  values  concurrently  and 
independently,  side-by-side  in  the  process  state.)  Specifications  in  the  concurrent  fragment  of 
SLS  can  take  many  different  forms,  a  point  that  we  will  discuss  further  in  Chapter  5. 

On  the  other  end  of  the  spectrum,  the  deductive  fragment  of  SLS  supports  the  specification 
of  inductive  definitions  by  the  same  methodology  used  to  represent  inductive  definitions  in  LF 
[HHP93].  We  can  therefore  use  the  deductive  fragment  of  SLS  to  specify  a  big-step  opera¬ 
tional  semantics  for  call-by-value  evaluation  by  inductively  defining  the  judgment  e  JJ.  v,  which 
expresses  that  the  expression  e  evaluates  to  the  value  v.  On  paper,  this  big-step  operational 
semantics  is  expressed  with  two  inference  rules: 

e1  JJ-  Xx.e  e2  JJ-  v 2  [v2/x]e2  JJ-  v 

Xx.e  JJ.  Xx.e  e\  e2  JJ-  v 

Big-step  operational  semantics  specifications  are  compact  and  elegant,  but  they  are  not  particu¬ 
larly  modular.  As  a  (contrived  but  illustrative)  example,  consider  the  addition  of  a  incrementing 

2The  term  substructure  operational  semantics  merges  structural  operational  semantics  [Plo04],  which  we  seek 
to  generalize,  and  substructural  logic,  which  forms  the  basis  of  our  specification  framework. 

Tn  particular,  we  are  leaving  the  first-order  quantifiers  implicit  in  this  section  and  using  an  informal  object 
language  representation  of  syntax.  The  actual  representation  of  syntax  uses  LF  terms  that  adequately  encode  this 
object  language,  as  discussed  in  Section  4.1.4. 
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store5  eval  (((Ax. Ay. 

.y) cour 

it)  count) 

(by  rule  ev/app) 

store  5  eval  ((Ax.Ay.y)  count) 

cont 

(□  count) 

(by  rule  ev/app) 

store  5 

eval  (Ax. Ay. y)  cont  (□  count) 

cont 

(□  count) 

(by  rule  ev/lam) 

store  5 

retn  (Xx.Xy.y)  cont  (□  count) 

cont 

(□  count) 

(by  rule  ev/appl) 

store  5 

eval  (count)  cont  ((Xx.Xy.y)  □) 

cont 

(□  count) 

(by  rule  ev/count) 

store  6  retn  (5)  cont  (( Xx.Xy.y )  □) 

cont 

(□  count) 

'W 

(by  rule  ev/app2) 

store  6  eval  ( Ay. y) 

cont 

(□  count) 

/v^y 

(by  rule  ev/lam) 

store  6  retn  (Ay. y) 

cont 

(□  count) 

's^-y 

(by  rule  ev/app2) 

store 6  eval  (count) 

cont  ((Xy.y)  □) 

/v^y 

(by  rule  ev/count) 

store  7  retn  (6) 

cont  ((Xy.y)  □) 

/v^y 

(by  rule  ev/app2) 

store  7 

eval (6) 

/v^y 

(by  rule  ev/lam) 

store  7 

retn  (6) 

yLy 

Figure  1.4:  Evaluation  with  an  imperative  < 

:ounter 

counter  count  to  the  language  of  expressions  e.  The  counter  is  a  piece  of  runtime  state,  and  every 
time  count  is  evaluated,  our  runtime  must  return  the  value  of  the  counter  and  then  increments  the 
counter.4  To  extend  the  big-step  operational  semantics  with  this  new  feature,  we  have  to  revise 
all  the  existing  rules  so  that  they  mention  the  running  counter: 


(count,  n)  {L  (n,  n  +  1)  (Ax.e,  n )  {L  (Ax.e,  n) 

(ei,n)  -D-  (Ax.e,?^)  (e2 ,Zh) -j).  (u2,n2)  ([u2/x]e2 ,n2)${v,rf) 

(ei  e2,n)  {1  (u,r/) 

The  simple  elegance  of  our  big-step  operational  semantics  has  been  tarnished  by  the  need  to 
deal  with  state,  and  each  new  stateful  feature  requires  a  similar  revision.  In  contrast,  our  SSOS 
specification  can  tolerate  the  addition  of  a  counter  without  revision  to  the  existing  rules;  we  just 
store  the  counter’s  value  in  an  atomic  proposition  store  (/v.)  to  the  left  of  the  eval(e)  or  retn(u) 
proposition  in  the  ordered  context.  Because  the  rules  ev/lam,  ev/app,  ev/appl,  and  ev/app2 
are  local,  they  will  ignore  this  extra  proposition,  which  only  needs  to  be  accessed  by  the  rule 
ev/count. 


ev/count  :  store  n  •  eval  count  >— >  {store  (n  +  1)  •  retn  n } 

In  Figure  1.4,  we  give  an  example  of  evaluating  (((Ax. Xy.y)  count)  count)  to  a  value  with  a 
starting  counter  value  of  5.  This  specific  solution  -  adding  a  counter  proposition  to  the  left  of 
the  eval  or  retn  -  is  rather  contrived.  We  want,  in  general,  to  be  able  to  add  arbitrary  state, 
and  this  technique  only  allows  us  to  add  one  piece  of  runtime  state  easily:  if  we  wanted  to 

4To  keep  the  language  small,  we  can  represent  numerals  n  as  Church  numerals:  0  =  (Xf.Xx.x),  1  =  ( Xf.Xx.fx ), 
2  =  (Xf.Xx.f(fx)),  and  so  on.  Then,  n  +  1  =  Xf.Xx.fe  if  n  =  Xf.Xx.e. 
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introduce  a  second  counter,  where  would  it  go?  Nevertheless,  the  example  does  foreshadow 
how,  in  Part  II  of  this  dissertation,  we  will  show  that  SSOS  specifications  in  SLS  allow  for  the 
modular  specification  of  many  programming  language  features. 

An  overarching  theme  of  Part  II  is  that  we  can  have  our  cake  and  eat  it  too  by  deploying  the 
logical  correspondence ,  an  idea  that  was  developed  jointly  with  Ian  Zerny  and  that  is  explained  in 
Chapter  5.  In  Chapter  6,  we  show  how  we  can  use  the  logical  correspondence  to  directly  connect 
the  big-step  semantics  and  SSOS  specifications  above;  in  fact,  we  can  automatically  and  me¬ 
chanically  derive  the  latter  from  the  former.  As  our  example  above  showed,  big- step  operational 
semantics  do  not  support  combining  the  specification  of  pure  features  (like  call-by- value  evalua¬ 
tion)  with  the  specification  of  a  stateful  feature  (like  the  counter)  -  or,  at  least,  doing  so  requires 
more  than  concatenating  the  specifications.  Using  the  automatic  transformations  described  in 
Chapter  6,  we  can  specify  pure  features  (like  call-by-value  evaluation)  as  a  simpler  big-step  se¬ 
mantics  specification,  and  then  we  can  compose  that  specification  with  an  SSOS  specification  of 
stateful  features  (like  the  counter)  by  mechanically  transforming  the  big-step  semantics  part  of 
the  specification  into  SSOS.  In  SSOS,  the  extension  is  modular:  the  call-by-value  specification 
can  be  extended  by  just  adding  new  rules  for  the  counter.  Further  transformations,  developed 
in  joint  work  with  Pfenning  [SP1  la],  create  new  opportunities  for  modular  extension;  this  is  the 
topic  of  Chapter  7. 

Appendix  B  puts  the  logical  correspondence  to  work  by  demonstrating  that  we  can  create  a 
single  coherent  language  specification  by  composing  four  different  styles  of  specification.  Pure 
features  are  given  a  natural  semantics,  whereas  stateful,  concurrent,  and  control  features  are 
specified  at  the  most  “high-level”  SSOS  specification  style  that  is  appropriate.  The  automatic 
transformations  that  are  the  focus  of  Part  II  then  transform  the  specifications  into  a  single  coher¬ 
ent  specification. 

Transformations  on  SLS  specifications  also  allow  us  to  derive  abstract  analyses  (such  as  con¬ 
trol  flow  and  alias  analysis)  directly  from  SSOS  specifications.  This  methodology  for  program 
abstraction,  linear  logical  approximation,  is  the  focus  of  Chapter  8. 


1.3  Invariants  in  substructural  logic 

A  prominent  theme  in  work  on  model  checking  and  rewriting  logic  is  expressing  invariants  in 
terms  of  temporal  logics  like  LTL  and  verifying  these  properties  with  exhaustive  state-space 
exploration  [CDE+ 1 1,  Chapter  10].  In  Part  III  of  this  dissertation  we  offer  an  approach  to  invari¬ 
ants  that  is  complementary  to  this  model  checking  approach.  From  a  programming  languages 
perspective,  invariants  are  often  associated  with  types.  Type  invariants  are  well-formedness  cri¬ 
teria  on  programs  that  are  weak  enough  to  be  preserved  by  state  transitions  (a  property  called 
preservation )  but  strong  enough  to  allow  us  to  express  the  properties  we  expect  to  hold  of  all 
well-formed  program  states.  In  systems  free  of  deadlock,  a  common  property  we  want  to  hold  is 
progress  -  a  well-typed  state  is  either  final  or  it  can  evolve  to  some  other  state  with  a  state  tran¬ 
sition.  (Even  in  systems  where  deadlock  is  a  possibility,  progress  can  be  handled  by  stipulating 
that  a  deadlocked  state  is  final.)  Progress  and  preservation  together  imply  the  safety  property  that 
a  language  is  free  of  unspecified  behavior. 

Chapter  9  discusses  the  use  of  generative  signatures  to  describe  well-formedness  invariants 
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/W 


(by  rule  gen/app2) 
(by  rule  gen/appl) 
(by  rule  gen/retn) 


gen  .state 

gen_state  cont  ((Ax. a;)  □)  -w 
gen_state  cont  (□  (Xz.e))  cont  ((Ax.x)  □)  -w 
retn  (A y.y)  cont  (□  (Xz.e))  cont  ((Ax.x)  □) 

Figure  1.5:  Proving  well-formedness  of  one  of  the  states  from  Figure  1.3 

of  specifications.  Generative  signatures  look  like  a  generalization  of  context-free  grammars, 
and  they  allow  us  to  characterize  contexts  by  a  describing  rewriting  rules  that  generate  legal  or 
well-formed  process  states  in  the  same  way  that  context-free  grammars  characterize  grammatical 
strings  by  describing  rules  that  generate  all  grammatical  strings. 

In  our  example  SSOS  specification,  a  process  state  that  consists  of  only  a  single  retn(w) 
proposition  is  final,  and  a  well-formed  state  is  any  state  that  consists  of  an  atomic  proposition 
eval(e)  (where  e  is  a  closed  expression)  or  retn(Ax.e)  (where  Ax.e  is  a  closed  expression)  to 
the  left  of  a  series  of  continuation  frames  cont(n  e)  or  cont((Ax.e)  □).  We  can  characterize  all 
such  states  as  being  generated  from  an  initial  atomic  proposition  gen_state  under  the  following 
generative  signature: 


gen/eval 

gen/retn 

gen/appl 

gen/app2 


gen  .state  >— >  {eval(e)} 
gen_state  (retn(Ax.e)} 

gen_state  (gen_state  •  cont(n  e2)} 

gen_state  >— >  (gen_state  •  cont((Ax.e)  □)} 


The  derivation  of  one  of  the  intermediate  process  states  from  Figure  1.3  is  shown  in  Figure  1.5. 

Well-formedness  is  a  global  property  of  specifications.  Therefore,  if  we  add  state  to  the 
specification,  we  have  to  change  the  description  of  what  counts  as  a  final  state  and  extend  the 
grammar  of  well-formed  process  states.  In  the  case  of  our  counter  extension,  final  states  have  a 
single  store (/y)  proposition  to  the  left  of  a  single  retn(u)  proposition,  and  well-formed  states  are 
generated  from  an  initial  atomic  proposition  gen  under  the  following  extension  to  the  previous 
generative  signature: 


gen /a  1 1  :  gen  (gen  .store  •  gen  .state} 
gen/store  :  gen  .store  >— >  (store(n)} 

The  grammar  above  describes  a  very  coarse  invariant  of  our  SSOS  specification,  and  it  is 
possible  to  prove  that  specifications  preserve  more  expressive  invariants.  An  important  class  of 
examples  are  invariants  about  the  types  of  expressions  and  process  states,  which  will  be  con¬ 
sidered  in  Chapter  9.  For  almost  any  SSOS  specification  more  complicated  than  the  one  given 
above,  type  invariants  are  necessary  for  proving  the  progress  theorem  and  concluding  that  the 
specification  is  safe  -  that  is,  free  from  undefined  behavior.  Chapter  10  will  consider  the  use  of 
generative  invariants  for  proving  safety  properties  of  specifications. 
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1.4  Contributions 


The  three  parts  of  this  dissertation  support  three  different  aspects  of  our  central  thesis,  which  we 
can  state  as  refined  thesis  statements  that  support  the  central  thesis.  We  will  presently  discuss 
these  supporting  thesis  statements  along  with  the  major  contributions  associated  with  each  of  the 
refinements. 

Thesis  (Part  I):  The  methodology  of  structural  focalization  facilitates  the  derivation 
of  logical  frameworks  as  fragments  of  focused  logics. 

The  first  major  contribution  of  Part  I  of  the  dissertation  is  the  development  of  structural  focal¬ 
ization  and  its  application  to  linear  logic  (Chapter  2)  and  ordered  linear  lax  logic  (Chapter  3). 
The  second  major  contribution  is  the  justification  of  the  logical  framework  SLS  as  a  fragment  of 
a  focused  logic,  generalizing  the  hereditary  substitution  methodology  of  Watkins  [WCPW02]. 

Thesis  (Part  II):  A  logical  framework  based  on  a  rewriting  interpretation  of  sub - 
structural  logic  supports  many  styles  of  programming  language  specification.  These 
styles  can  be  formally  classified  and  connected  by  considering  general  transforma¬ 
tions  on  logical  specifications. 

The  major  contribution  of  Part  II  is  the  development  of  the  logical  correspondence ,  a  method¬ 
ology  for  extending,  classifying,  inter-deriving,  and  modularly  extending  operational  semantics 
specifications  that  are  encoded  in  SLS,  with  an  emphasis  on  SSOS  specifications.  The  trans¬ 
formations  in  Chapter  6  connect  big- step  operational  semantics  specifications  and  the  ordered 
abstract  machine-style  SSOS  semantics  that  we  introduced  in  Section  1.2.  The  destination¬ 
adding  transformation  given  in  Chapter  7  connects  these  specifications  with  the  older  destination¬ 
passing  style  of  SSOS  specification.  In  both  chapters  the  transformations  we  discuss  add  new 
opportunities  for  modular  extension  -  that  is,  new  opportunities  to  add  features  to  the  language 
specification  without  revising  existing  rules.  The  transformations  in  these  chapters  are  imple¬ 
mented  in  the  SLS  prototype,  as  demonstrated  by  the  development  in  Appendix  B. 

Thesis  (Part  III):  The  SLS  specification  of  the  operational  semantics  of  a  program¬ 
ming  language  is  a  suitable  basis  for  formal  reasoning  about  properties  of  the  spec¬ 
ified  language. 

We  discuss  two  techniques  for  formal  reasoning  about  the  properties  of  SSOS  specifications 
in  SLS.  In  Chapter  8  we  discuss  the  logical  approximation  methodology  and  show  that  it  can 
be  used  to  take  SSOS  specifications  and  derive  known  control  flow  and  alias  analyses  that  are 
correct  by  construction.  The  use  of  generative  signatures  to  describe  invariants  is  discussed  in 
Chapter  9,  and  the  use  of  these  invariants  to  prove  safety  properties  of  programming  languages 
is  discussed  in  Chapter  10. 
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Part  I 

Focusing  substructural  logics 
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Chapter  2 
Linear  logic 


In  this  chapter,  we  present  linear  logic  as  a  logic  with  the  ability  to  express  aspects  of  state 
and  state  transition  in  a  natural  way.  In  Chapter  3  we  will  repeat  the  development  from  this 
chapter  in  a  much  richer  and  more  expressive  setting,  and  in  Chapter  4  we  will  carve  out  a 
fragment  of  this  logic  to  use  as  the  basis  of  SLS,  our  logical  framework  of  substructural  logical 
specifications.  These  three  chapters  contribute  to  the  overall  thesis  by  focusing  on  the  design  of 
logical  frameworks: 

Thesis  (Part  I):  The  methodology  of  structural  focalization  facilitates  the  derivation 
of  logical  frameworks  as  fragments  of  focused  logics. 

The  purpose  of  this  chapter  is  to  introduce  the  methodology  of  structural  focalization',  this  de¬ 
velopment  is  one  of  the  major  contributions  of  this  work.  Linear  logic  is  a  fairly  simple  logic 
that  nevertheless  allows  us  to  consider  many  of  the  issues  that  will  arise  in  richer  substructural 
logics  like  the  one  considered  in  Chapter  3. 

In  Section  2. 1  we  motivate  and  discuss  a  traditional  account  of  linear  logic,  and  in  Section  2.2 
we  discuss  why  this  account  is  insufficient  as  a  logical  framework  -  derivations  in  linear  logic 
suffice  to  establish  the  existence  of  a  series  of  state  transitions  but  do  not  adequately  capture  the 
structure  of  those  transitions.  Our  remedy  for  this  insufficiency  comes  in  the  form  of  focusing, 
Andreoli’s  restricted  normal  form  for  derivations  in  linear  logic.  We  discuss  focusing  for  a 
polarized  presentation  of  linear  logic  in  Section  2.3. 

With  focusing,  we  can  describe  synthetic  inference  rules  (Section  2.4)  that  succinctly  capture 
the  structure  of  focused  transitions.  In  Section  2.5  we  discuss  a  number  of  ways  of  modifying  the 
design  of  our  focused  logic  to  increase  the  expressiveness  of  synthetic  inference  rules;  one  of  the 
alternatives  we  present,  the  introduction  of  permeable  atomic  propositions,  will  be  generalized 
and  incorporated  into  the  focused  presentation  of  ordered  linear  lax  logic  that  we  discuss  in 
Chapter  3. 


2.1  Introduction  to  linear  logic 

Logic  as  it  has  been  traditionally  understood  and  studied  -  both  in  its  classical  and  intuitionistic 
varieties  -  treats  the  truth  of  a  proposition  as  a  persistent  resource.  That  is,  if  we  have  evidence 
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for  the  truth  of  a  proposition,  we  can  ignore  that  evidence  if  it  is  not  needed  and  reuse  the  evidence 
as  many  times  as  we  need  to.  Throughout  this  document,  “logic  as  it  has  been  traditionally 
understood  as  studied”  will  be  referred  to  as  persistent  logic  to  emphasize  this  treatment  of 
evidence. 

Linear  logic,  which  was  studied  and  popularized  by  Girard  [Gir87],  treats  evidence  as  an 
ephemeral  resource;  the  use  of  an  ephemeral  resource  consumes  it,  at  which  point  it  is  unavail¬ 
able  for  further  use.  Linear  logic,  like  persistent  logic,  comes  in  classical  and  intuitionistic  fla¬ 
vors.  We  will  favor  intuitionistic  linear  logic  in  part  because  the  propositions  of  intuitionistic  lin¬ 
ear  logic  (written  A,  B,  C,  . . . )  have  a  more  natural  correspondence  with  our  physical  intuitions 
about  consumable  resources.  Linear  conjunction  A®  B  (“A  tensor  B ”)  represents  the  resource 
built  from  the  resources  A  and  B ;  if  you  have  both  a  bowl  of  soup  and  a  sandwich,  that  resource 
can  be  represented  by  the  proposition  soup  (8)  sandwich.  Linear  implication  A  — °  B  (“ A  lolli  B”) 
represents  a  resource  that  can  interact  with  another  resource  A  to  produce  a  resource  B.  One 
robot  with  batteries  not  included  could  be  represented  as  the  linear  resource  (battery  — o  robot), 
and  the  linear  resource  (6bucks  — o  soup  <8)  sandwich)  represents  the  ability  to  use  $6  to  obtain 
lunch  -  but  only  once.1  Linear  logic  also  has  a  connective  l  A  (“bang  A”  or  “of  course  A”)  repre¬ 
senting  a  persistent  resource  that  can  be  used  to  generate  any  number  of  A  resources,  including 
zero.  Your  local  Panera,  which  allows  six  dollars  to  be  exchanged  for  both  soup  and  a  sandwich 
any  number  of  times,  can  be  represented  as  the  resource  !(6bucks  — o  soup  8)  sandwich). 

Figure  2.1  presents  a  standard  sequent  calculus  for  linear  logic,  in  particular  the  multiplica- 

1  Conjunction  will  always  bind  more  tightly  than  implication,  so  this  is  equivalent  to  the  proposition  6bucks  -<> 
(soup  ®  sandwich). 
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tive,  exponential  fragment  of  intuitionistic  linear  logic  (or  MELL),  so  called  because  the  con¬ 
nectives  1 ,  A®  B,  and  A  -<>  B  are  considered  to  be  the  multiplicative  connectives,  and  the 
connective  \A  is  the  exponential  connective  of  intuitionistic  linear  logic.2  It  corresponds  most 
closely  to  Barber’s  dual  intuitionistic  linear  logic  [Bar96],  but  also  to  Andreoli’s  dyadic  system 
[And92]  and  Chang  et  al.’s  judgmental  analysis  of  intuitionistic  linear  logic  [CCP03]. 

The  propositions  of  intuitionistic  linear  logic,  and  linear  implication  in  particular,  capture  a 
notion  of  state  change:  we  can  transition  from  a  state  where  we  have  both  a  battery  and  the 
battery-less  robot  (represented,  as  before,  by  the  linear  implication  battery  — o  robot)  to  a  state 
where  we  have  the  battery-endowed  (and  therefore  presumably  functional)  robot  (represented  by 
the  proposition  robot).  In  other  words,  the  proposition 

battery  0  (battery  — o  robot)  — o  robot 

is  provable  in  linear  logic.  These  transitions  can  be  chained  together  as  well:  if  we  start  out  with 
6bucks  instead  of  battery  but  we  also  have  the  persistent  ability  to  turn  6bucks  into  a  battery  - 
just  like  we  turned  $6  into  a  bowl  of  soup  and  a  salad  at  Panera  -  then  we  can  ultimately  get  our 
working  robot  as  well.  Written  as  a  series  of  transitions,  the  picture  looks  like  this: 

$6(1) 

battery-less  robot  (1) 

turn  $6  into  a  battery 
( all  you  want ) 

In  linear  logic,  these  transitions  correspond  to  the  provability  of  the  proposition 

!(6bucks  — o  battery)  0  6bucks  0  (battery  — °  robot)  — o  robot. 

A  derivation  of  this  proposition  is  given  in  Figure  2. 2. 3 

It  is  precisely  because  linear  logic  contains  this  intuitive  notion  of  state  and  state  transition 
that  a  rich  line  of  work,  dating  back  to  Chirimar’s  1995  dissertation,  has  sought  to  use  linear  logic 
as  a  logical  framework  for  describing  stateful  systems  [Chi95,  CP02,  CPWW02,  Pfe04,  Mil09, 
PS09.CS09]. 

2.2  Logical  frameworks 

Generally  speaking,  logical  frameworks  use  the  structure  of  proofs  in  a  logic  (like  linear  logic) 
to  describe  the  structures  we’re  interested  in  (like  the  process  of  obtaining  a  robot).  There  are 

2In  this  chapter  we  will  mostly  ignore  the  additive  connectives  of  intuitionistic  linear  logic  0,  A  CL  B,  T,  and 
A  &  B  and  will  entirely  ignore  the  first-order  connectives  3 x.A  and  \tx.A.  The  “why  not”  connective  1 A  from 
classical  linear  logic  is  sometimes  treated  as  a  second  exponential  connective  in  intuitionistic  linear  logic  [CCP03], 
but  we  will  never  ask  “why  not?”  in  the  context  of  this  dissertation. 

3  In  Chapter  4  (and  Section  4.7.2  in  particular)  we  see  that  this  view  isn’t  quite  precise  enough,  and  that  the  “best” 
representation  of  state  change  from  the  state  A  to  the  state  B  isn’t  really  captured  by  derivations  of  the  proposition 
A  — o  B  or  by  derivations  of  the  sequent  •;  A  — >  B.  However,  this  view  remains  a  simple  and  useful  one;  Cervesato 
and  Scedrov  cover  it  thoroughly  in  the  context  of  intuitionistic  linear  logic  [CS09]. 


battery  (1) 

battery-less  robot  (1) 

turn  $6  into  a  battery 
(all  you  want ) 


robot  (1) 
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Figure  2.2:  Proving  that  a  transition  is  possible  (where  we  let  T  =  6bucks  — °  battery) 


two  related  reasons  why  linear  logic  as  described  in  Figure  2.1  is  not  immediately  useful  as  a 
logical  framework.  First,  the  structure  of  the  derivation  in  Figure  2.2  doesn’t  really  match  the 
intuitive  two-step  transition  that  we  sketched  out  above.  Second,  there  are  lots  of  derivations 
of  our  example  proposition  according  to  the  rules  in  Figure  2.1,  even  though  there’s  only  one 
“real”  series  of  transitions  that  get  us  to  a  working  robot.  The  use  of  \L,  for  instance,  could 
be  permuted  up  past  the  ®L  and  then  past  the  —oL  into  the  left  branch  of  the  proof.  These 
differences  represent  inessential  nondeterminism  in  proof  construction  -  they  just  get  in  the  way 
of  the  structure  that  we  are  trying  to  capture. 

This  is  a  general  problem  in  the  construction  of  logical  frameworks.  We’ll  discuss  two  solu¬ 
tions  in  the  context  of  LF,  a  logical  framework  based  on  dependent  type  theory  that  has  proved 
to  be  a  suitable  means  of  encoding  a  wide  variety  of  deductive  systems,  such  as  logics  and  pro¬ 
gramming  languages  [HHP93].  The  first  solution  is  to  define  an  appropriate  equivalence  class  of 
proofs,  and  the  second  solution  is  to  define  a  complete  set  of  canonical  proofs. 

Defining  an  appropriate  equivalence  relation  on  proofs  can  be  an  effective  way  of  handling 
this  inessential  nondeterminism.  In  linear  logic  as  presented  above,  if  the  permutability  of  rules 
like  \l  and  is  problematic,  we  can  instead  reason  about  equivalence  classes  of  derivations. 
Derivations  that  differ  only  in  the  ordering  of  !  l  and  (8) l  rules  belong  in  the  same  equivalence 
class  (which  means  we  treat  them  as  equivalent): 

V  V 

V ,A-,A,B,C — *  D  ^  T,A-,A,B,C — »  D 

T,A;A,B®C  — ►  D  =  T;  A,  IA,  B,  C  — ¥  D  ' L 

T;A,\A,B®C  — >D  ' L  T-,A,\A,B®C  — >  D  ®L 

In  LF,  lambda  calculus  terms  (which  correspond  to  derivations  by  the  Curry-Howard  corre¬ 
spondence)  are  considered  modulo  the  least  equivalence  class  that  includes 

*  cc -equivalence  (A x.N  =  A y.N[y/x\  if  y  qL  FV (N)), 

*  /^-equivalence  ((Ax.  M)N  =  M[N/x\  if  x  0  FV(N)),  and 

*  ^-equivalence  (N  =  A  x.N  x). 

The  weak  normalization  property  for  LF  establishes  that,  given  any  typed  LF  term,  we  can  find 
an  equivalent  term  that  is  /3-normal  (no  /3-redexes  of  the  form  (A x.M)N  exist)  and  rj- long  (re¬ 
placing  N  with  A  x.N  x  anywhere  would  introduce  a  /3-redex  or  make  the  term  ill-typed).  In  any 
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given  equivalence  class  of  typed  LF  terms,  all  the  /3-normal  and  //-long  terms  are  a; -equivalent. 
Therefore,  because  a-cquivalcncc  is  decidable,  the  equivalence  of  typed  LF  terms  is  decidable. 

The  uniqueness  of  /3-normal  and  rj- long  terms  within  an  equivalence  class  of  lambda  calculus 
terms  (modulo  a-cquivalcncc,  which  we  will  henceforth  take  for  granted)  makes  these  terms  use¬ 
ful  as  canonical  representatives  of  equivalence  classes.  In  Harper,  Honsell,  and  Plotkin’s  original 
formulation  of  LF,  a  deductive  system  is  said  to  be  adequately  encoded  as  an  LF  type  family 
in  the  case  that  there  is  a  compositional  bijection  between  the  formal  objects  in  the  deductive 
system  and  these  /3-normal,  //-long  representatives  of  equivalence  classes  [HHP93].  (Adequacy 
is  a  topic  we  will  return  to  in  Section  4.1.4.) 

Modem  presentations  of  LF,  such  as  Harper  and  Licata’s  [HL07],  follow  the  approach  de¬ 
veloped  by  Watkins  et  al.  [WCPW02]  and  define  the  logical  framework  so  that  it  only  contains 
these  /3-normal,  //-long  canonical  forms  of  LF.  This  presentation  of  LF  is  called  Canonical  LF 
to  distinguish  it  from  the  original  presentation  of  LF  in  which  the  /3-normal,  77- long  terms  are 
just  a  refinement  of  terms.  A  central  component  in  this  approach  is  hereditary  substitution ;  in 
Chapter  3,  we  will  make  the  connections  between  hereditary  substitution  and  the  focused  cut 
admissibility  property  we  prove  in  this  chapter  more  explicit.  Hereditary  substitution  also  estab¬ 
lishes  a  normalization  property  for  LF.  Using  hereditary  substitution  we  can  easily  take  a  regular 
LF  term  and  transform  it  into  a  Canonical  LF  term.  By  a  separate  theorem,  we  can  prove  that  the 
normalized  term  will  be  equivalent  to  the  original  term  [MCI 2]. 

Our  analogue  to  the  canonical  forms  of  LF  will  be  the  focused  derivations  of  linear  logic  that 
are  presented  in  the  next  section.  In  Section  2.3  below,  we  present  focused  linear  logic  and  see 
that  there  is  exactly  one  focused  derivation  of  the  proposition 

!(6bucks  — o  battery)  <8>  6bucks  (8)  (battery  — o  robot)  — o  robot. 

We  will  furthermore  see  that  the  structure  of  this  derivation  matches  the  intuitive  transition  inter¬ 
pretation,  a  point  that  is  reinforced  by  the  discussion  of  synthetic  inference  rules  in  Section  2.4. 

2.3  Focused  linear  logic 

Andreoli’s  original  motivation  for  introducing  focusing  was  not  to  describe  a  logical  framework, 
it  was  to  describe  a  foundational  logic  programming  paradigm  based  on  proof  search  in  classical 
linear  logic  [And92] .  The  existence  of  multiple  proofs  that  differ  in  inessential  ways  is  particu¬ 
larly  problematic  for  proof  search,  as  inessential  differences  between  derivations  correspond  to 
unnecessary  choice  points  that  a  proof  search  procedure  will  need  to  backtrack  over. 

The  development  in  this  section  introduces  structural  focalization,  a  methodology  for  deriv¬ 
ing  the  correctness  of  a  focused  sequent  calculus  (Theorem  2.5  and  Theorem  2.6,  Section  2.3.7) 
as  a  consequence  of  the  internal  completeness  (identity  expansion,  Theorem  2.3,  Section  2.3.5) 
and  internal  soundness  (cut  admissibility,  Theorem  2.4,  Section  2.3.6)  of  the  focused  system. 
This  methodology  is  a  substantial  refinement  of  the  method  used  by  Chaudhuri  to  establish  the 
correctness  of  focused  intuitionistic  linear  logic  [Cha06],  and  because  it  relies  on  structural  meth¬ 
ods,  structural  focalization  is  more  amenable  to  mechanized  proof  [Siml  1],  Our  focused  sequent 
calculus  also  departs  from  Chaudhuri’s  by  treating  asynchronous  rules  as  confluent  rather  than 
fixed,  a  point  that  will  be  discussed  in  Section  2.3.8. 
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2.3.1  Polarity 

The  first  step  in  describing  a  focused  sequent  calculus  is  to  classify  connectives  into  two  groups 
[And92] .  Some  connectives,  such  as  linear  implication  A  —o  B,  are  called  asynchronous  because 
their  right  rules  can  always  be  applied  eagerly,  without  backtracking,  during  bottom-up  proof 
search.  Other  connectives,  such  as  multiplicative  conjunction  A  0  B,  are  called  synchronous 
because  their  right  rules  cannot  be  applied  eagerly.  For  instance,  if  we  are  trying  to  prove  the 
sequent  A®  B  — )•  B  0  A,  the  <7jR  rule  cannot  be  applied  eagerly;  we  first  have  to  decompose 
A  0  B  on  the  left  using  the  ®L  rule.  The  terms  asynchronous  and  synchronous  make  a  bit 
more  sense  in  a  one-sided  classical  sequent  calculus;  in  intuitionistic  logics,  it  is  common  to  call 
asynchronous  connectives  right- asynchronous  and  /^//-synchronous.  Similarly,  it  is  common  to 
call  synchronous  connectives  right-?, y n c h ro nous  and  /^//-asynchronous.  We  will  instead  use  a 
different  designation,  calling  the  (right-)synchronous  connectives  positive  (!,  0,  ©,  1,  and  0  in 
full  propositional  linear  logic)  and  calling  the  (right-)asynchronous  connectives  negative  (— o, 
T  and  &  in  full  propositional  linear  logic);  this  assignment  is  called  the  proposition’s  polarity. 
Each  atomic  proposition  must  be  assigned  to  have  only  one  polarity,  though  this  assignment  can 
be  made  arbitrarily. 

The  nontrivial  result  of  focusing  is  that  it  is  possible  to  separate  a  proof  into  two  strictly 
alternating  phases.  In  inversion  phases,  positive  propositions  on  the  left  and  negative  propositions 
on  the  right  are  eagerly  and  exhaustively  decomposed  using  invertible  rules.* * * 4  In  focused  phases, 
a  single  proposition  is  selected  (the  proposition  in  focus,  which  is  either  a  positive  proposition 
in  right  focus  or  a  negative  proposition  in  left  focus).  This  proposition  is  then  decomposed 
repeatedly  and  exhaustively  using  rules  that  are  mostly  non-invertible. 

If  we  consider  this  discipline  applied  to  our  robot  example  where  all  atoms  have  been  as¬ 
signed  positive  polarity,  we  would  begin  with  an  inversion  phase,  decomposing  the  negative 
implication  on  the  right  and  the  positive  tensor  and  exponential  on  the  left: 


0L 


6bucks  — o  battery;  6bucks,  battery  — °  robot  — »  robot 
6bucks  — o  battery;  6bucks  0  (battery  — o  robot)  — »  robot 
•;  !(6bucks  — °  battery),  6bucks  0  (battery  — °  robot)  — ^  robot 
•;  !(6bucks  — o  battery)  0  6bucks  0  (battery  — o  robot)  — >  robot 

■  — >  !(6bucks  — o  battery)  0  6bucks  0  (battery  — °  robot)  — °  robot 


0L 


Once  we  reach  the  topmost  sequent  in  the  above  fragment,  we  have  to  pick  a  negative  proposition 

on  the  left  or  a  positive  proposition  on  the  right  as  our  focus  in  order  to  proceed.  The  correct 
choice  in  this  context  is  to  pick  the  negative  proposition  6bucks  — °  battery  in  the  persistent 
context  and  decompose  it  using  the  non-invertible  rule  — °L.  Because  the  subformula  6bucks  is 

4Synchronicity  or  polarity,  a  property  of  connectives,  is  closely  connected  to  (and  sometimes  conflated  with) 
a  property  of  rules  called  invertibility;  a  rule  is  invertible  if  the  conclusion  of  the  rule  implies  the  premises.  So 
— °  R  is  invertible  (r ;  A  — *  A—°B  implies  T;  A,  A  — >  B)  but  -<>L  is  not  (T;  A,  A  — o  B  — >  C  does  not 
imply  that  A  =  Ai,  A2  such  that  I';  Ai  — >  A  and  T;  Ao,  B  — ?  C).  Rules  that  can  be  applied  eagerly  need  to 
be  invertible,  so  asynchronous  connectives  have  invertible  right  rules  and  synchronous  connectives  have  invertible 
left  rules.  Therefore,  in  the  literature  a  common  synonym  for  asynchronous/negative  is  right-invertible,  and  the 
analogous  synonym  for  synchronous/positive  is  left-invertible. 
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(A+  -o  B~)°  =  (A+)°  -o  (B-)° 

(A  —o  B) 

p+ 

(p+)e  =  |p+ 

!A® 

(!A)e  =  t(!Ae) 

1 

(i)e  =  n 

A®  ®  B ® 

(. A®B)e  =  |(A®  <8)  B®) 

Ip~ 

(P~)e  =  P~ 

|(A®  -o  Be) 

(A  -o  B)e  =  A®  -^Be 

Figure  2.3:  De-polarizing  and  polarizing  (with  minimal  shifts)  propositions  of  MELL 


positive  and  ends  up  on  the  right  side  in  the  subderivation,  the  focusing  discipline  requires  that 
we  prove  it  immediately  with  the  id  rule.  Letting  T  =  6bucks  — o  battery,  this  looks  like  this: 


id 


r ;  6bucks  — »  6bucks  T;  battery  — o  robot,  battery  — >  robot 


T;  6bucks,  battery  — o  robot,  6bucks  — °  battery  — >  robot 
T;  6bucks,  battery  — o  robot  — >  robot 


copy 


The  trace  (that  is,  the  pair  of  a  single  bottom  sequent  and  a  set  of  unproved  top  sequents)  of 
an  inversion  phase  stacked  on  top  of  a  focused  phase  is  called  a  synthetic  inference  rule  by 
Chaudhuri,  a  point  we  will  return  to  in  Section  2.4. 

2.3.2  Polarization 

At  this  point,  there  is  an  important  choice  to  make.  One  way  forward  is  to  treat  positive  and 
negative  propositions  as  syntactic  refinements  of  the  set  of  all  propositions,  and  to  develop  a 
focused  presentation  for  intuitionistic  linear  logic  with  the  connectives  and  propositions  that  we 
have  already  considered,  as  Chaudhuri  did  in  [Cha06].  The  other  way  forward  is  to  treat  positive 
and  negative  propositions  as  distinct  syntactic  classes  A+  and  A"  with  explicit  inclusions,  called 
shifts,  between  them.  This  is  called  polarized  linear  logic.  The  positive  proposition  |A~,  pro¬ 
nounced  “downshift  A ”  or  “down  A,”  has  a  subterm  that  is  a  negative  proposition;  the  negative 
proposition  fA+,  pronounced  “upshift  A”  or  “up  A,”  has  a  subterm  that  is  a  positive  proposition. 

A+  ::=  p+  I  fA~  I  !A“  I  1  I  A+  O  B+ 

A"  ::=  p -  |  |A+  |  A+  -o  B 

The  relationship  between  unpolarized  and  polarized  linear  logic  is  given  by  two  erasure  func¬ 
tions  (A+)°  and  (A“)°  that  wipe  away  all  the  shifts;  this  function  is  defined  in  Figure  2.3.  In  the 
other  direction,  every  proposition  in  unpolarized  linear  logic  has  an  polarized  analogue  with  a 
minimal  number  of  shifts,  given  by  the  functions  A®  and  A®  in  Figure  2.3.  Both  of  these  func¬ 
tions  are  partial  inverses  of  erasure,  since  (A®)°  =  (A®)°  =  A;  we  will  generally  refer  to  partial 
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[p+)m+  =  It p+ 


( p+)m-  =  t p+ 
( \A)m -  = 

(' l)m~  =  |1 


(!A)m+  =  ||!(A)m' 
(l)m+  =  ||1 


(A  <g>  5)m+  =  ||((A)m+  ®  (B)m+ 


(A  <g>  B)m~  =  t (A®<8>£®) 


(p  )m+  = 

(A  -o  B)m+  =  |((A)m+  -o  (5)m 


(p-)m-  =  Up~ 

(A  -o  B)m~  =  tl((A)m+  ( B)m~ ) 


Figure  2.4:  Fully-shifting  polarization  strategy  for  MELL 


inverses  of  erasure  as  polarization  strategies.  The  strategies  A®  and  AG  are  minimal,  avoiding 
shifts  wherever  possible,  but  there  are  many  other  possible  strategies,  such  as  the  fully-shifting 
strategy  that  always  adds  either  one  or  two  shifts  between  every  connective,  which  we  can  write 
as  ( A)m+  =  B+  and  ( A)m~  =  B~ ,  defined  in  Figure  2.4. 

Shifts  turn  out  to  have  a  profound  impact  on  the  structure  of  focused  proofs,  though  erasure 
requires  that  they  have  no  impact  on  provability.  For  instance,  the  proofs  of  A  in  Chaudhuri’s 
focused  presentation  of  linear  logic  are  isomorphic  to  the  proofs  of  (A)®  in  the  polarized  logic 
discussed  below,5  whereas  the  proofs  of  ( A)m+  in  polarized  logic  are  isomorphic  to  the  unfocused 
proofs  of  linear  logic  as  described  in  Figure  2.1.  Other  polarization  strategies  correspond  to 
different  focused  logics,  as  explored  by  Liang  and  Miller  in  [LM09],  so  the  presentation  of 
polarized  linear  logic  below,  like  Liang  and  Miller’s  LJF,  can  be  seen  in  two  ways:  as  a  focused 
logic  in  its  own  right,  and  as  a  framework  for  defining  many  focused  logics  (one  per  polarization 
strategy).  As  such,  the  strongest  statement  of  the  correctness  of  focusing  is  based  on  erasure: 
there  is  an  unfocused  derivation  of  (A+)°  or  (A“)°  if  and  only  if  there  is  a  focused  derivation  of 
A+  or  A~ .  Most  existing  proofs  of  the  completeness  of  focusing  only  verify  a  weaker  property: 
that  there  is  an  unfocused  derivation  of  A  if  and  only  if  there  is  a  focused  derivation  of  A *,  where 
A *  is  some  polarization  strategy.  The  only  exception  seems  to  be  Zeilberger’s  proof  for  classical 
persistent  logic  [Zei08b] . 

In  this  dissertation,  we  will  be  interested  only  in  the  structure  of  focused  proofs,  which  corre¬ 
sponds  to  using  the  polarization  strategy  given  by  A®  and  A®.  Therefore,  following  Chaudhuri,  it 
would  be  possible  to  achieve  our  objectives  without  the  use  of  polarization.  Our  choice  is  largely 
based  on  practical  considerations:  the  use  of  polarized  logic  simplifies  the  proof  of  identity  ex¬ 
pansion  in  Section  2.3.5  and  the  proof  of  completeness  in  Section  2.3.7.  That  said,  polarized 
logic  is  an  independently  significant  and  currently  active  area  of  research.  For  instance,  the 
Curry-Howard  interpretation  of  polarized  persistent  logic  has  been  studied  by  Levy  as  Call-by- 
Push- Value  [Lev04],  The  erasable  influence  of  the  shifts  on  the  structure  (but  not  the  existence) 
of  proofs  is  also  important  in  the  context  of  theorem  proving.  For  instance,  a  theorem  prover 
for  polarized  logic  can  imitate  focused  proof  search  by  using  the  (A)®  polarization  strategy  and 
unfocused  proof  search  by  using  the  (. A)m+  polarization  strategy  [MP09]. 

5This  isomorphism  holds  for  Chaudhuri’s  focused  presentation  of  linear  logic  precisely  because  his  treatment  of 
atomic  propositions  differs  from  Andreoli’s.  This  isomorphism  does  not  hold  relative  to  focused  systems  that  follow 
Andreoli’s  design,  a  point  we  will  return  to  in  Section  2.5. 
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2.3.3  Focused  sequent  calculus 

Usually,  focused  logics  are  described  as  having  multiple  sequent  forms.  For  intuitionistic  logics, 
there  need  to  be  at  least  three  sequent  forms: 

*  T;  A  b  [A+]  (the  right  focus  sequent,  where  the  proposition  A+  is  in  focus), 

*  r;AhC  (the  inversion  sequent),  and 

*  T;  A,  [A-]  b  C  (the  left  focus  sequent,  where  the  proposition  A~  is  in  focus). 

It  is  also  possible  to  distinguish  a  fourth  sequent  form,  the  stable  sequents,  inversion  sequents 
T;  A  b  C  where  no  asynchronous  inversion  remains  to  be  done.  A  sufficient  condition  for  stabil¬ 
ity  is  that  the  context  A  contains  only  negative  propositions  A~  and  the  succedent  C  is  a  positive 
proposition  A+ .  However,  this  cannot  be  a  necessary  condition  for  stability  due  to  the  presence 
of  atomic  propositions.  If  the  process  of  inversion  reaches  a  positive  atomic  proposition  p+  on  the 
left  or  a  negative  atomic  proposition  p~  on  the  right,  the  proposition  can  be  decomposed  no  fur¬ 
ther.  When  we  reach  an  atomic  proposition,  we  are  therefore  forced  to  suspend  decomposition, 
either  placing  a  suspended  positive  atomic  proposition  ( p+ )  in  A  or  placing  a  suspended  negative 
proposition  ( p~ )  as  the  succedent.  For  technical  reasons  discussed  below  in  Section  2.3.4,  our 
sequent  calculus  can  handle  arbitrary  suspended  propositions,  not  just  suspended  atomic  propo¬ 
sitions,  and  suspended  propositions  are  always  treated  as  stable,  so  T;  A~,B~,C^  b  D+  and 
T;  (A+),  B~,  ( C+ )  b  (D~)  are  both  stable  sequents. 

Another  reasonable  presentation  of  linear  logic,  and  the  one  we  will  adopt  in  this  section, 
uses  only  one  sequent  form,  T;  A  b  U_,  that  generalizes  what  is  allowed  to  appear  in  the  linear 
context  A  or  in  the  succedent  U_.  We  will  use  this  interpretation  to  understand  the  logic  described 
in  Figure  2.5.  In  addition  to  propositions  A+,  A~  and  positive  suspended  positive  propositions 
(A+),  the  grammar  of  contexts  A  allows  them  to  contain  left  focuses  [A-] .  Likewise,  a  succedent 
U_  can  be  a  stable  positive  proposition  A+,  a  suspended  negative  proposition  (A-),  a  focused 
positive  proposition  [A+],  or  an  inverting  negative  proposition  A~.  We  will  henceforth  write  A 
and  U  to  indicate  the  refinements  of  A  and  U_  that  do  not  contain  any  focus. 

By  adding  a  side  condition  to  the  three  rules  focus R,  focus L,  and  copy  that  neither  the  context 
A  nor  the  succedent  U  can  contain  an  in- focus  proposition  [A+]  or  [A-],  derivations  can  maintain 
the  invariant  that  there  is  always  at  most  one  proposition  in  focus  in  any  sequent,  effectively 
restoring  the  situation  in  which  there  are  three  distinct  judgments.  Therefore,  from  this  point 
on,  we  will  only  consider  sequents  T;  A  b  U_  with  at  most  one  focus.  Pfenning,  who  developed 
this  construction  in  [Pfel2c],  calls  this  invariant  the  focusing  constraint.  The  focusing  constraint 
alone  gives  us  what  Pfenning  calls  a  chaining  logic  [Pfel2c]  and  which  Laurent  calls  a  weakly 
focused  logic  [Lau04].6  We  obtain  a  fully  focused  logic  by  further  restricting  the  three  critical 
rules  focus R,  focus L,  and  copy  so  that  they  only  apply  when  the  sequent  below  the  line  is  stable. 
In  light  of  this  additional  restriction,  whenever  we  consider  a  focused  sequent  T;  A,  [A-]  b  U  or 
f;  A  b  [A+],  we  can  assume  that  A  and  U  are  stable. 


6 Unfortunately,  I  made  the  meaning  of  “weak  focusing”  less  precise  by  calling  a  different  sort  of  logic  weakly 
focused  in  [SPllb].  That  weakly  focused  system  had  an  additional  restriction  that  invertible  rules  could  not  be 
applied  when  any  other  proposition  was  in  focus,  which  is  what  Laurent  called  a  strongly  +- focused  logic. 
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( multiset ) 
(multiset) 


A+  ::=  p+  |  \.A~  |  \A~  |  1  |  A+  0  B+ 

A~  ::=  p~  |  t j  A+  — o  B~ 
r  ::=  •  |  r,  A~ 

A  ::=  •  j  A,  A+  |  A,  A"  |  A,  [A“]  |  A,  (A+) 
U  ::=  A"  |  A+  |  [A+]  |  (A~) 


r;A  b  U 


r;Ai-m,  ,  r;  a,  [.4-]  h  u  ,  ,  r,4-;  a,  [4-]  i-  u 

r;Ahi+  r ;  A,  A~  h  U  ^  U 


r;  a,  (p+)  i~  [/ 

T-A,p+  b  U 


F;  (-4+)  I-  [X+] 


^  r;Ah  (p~)  _ 

id+  -p  A  j  ~  V 
T;  A  b  p 


r;  {A-}  h  (A-) 


zt  id~ 


b;Ab  A+  A  r;  A,A+  b  U  A  T;AbA-  ,  r;A,,4-btf  , 

I  R  p  a  rp  <+1  i  TT  '  L  p  a  I  r  I  A—  1  b_R  PA  A  —  I  TT  4l 


r;Abtbl+  T;  A,  [|A+]  \-U  r;Ab[|vl-]tJt  r;A,|A-b?7 


r;-b a-  r,A-;Ab?7  (  r;Ab[/ 

r;  •  b  [!A-]  'R  r;  a ,\a~  b  u  'L  r;  •  b  [i]  1r  r;  a,i  b  u  1l 


r;Axb[A+]  r;  A2  b  [B+] 
r;  Ai,  A2  b  [A+®B+] 


T;A,A+,B+  b  U 
T-,A,A+®B+  b  U 


®L 


r;  A ,A+  b  B- 


T;  A  b  A+ 


B 


3 R 


T;A1b[A+]  r;  A2,  [B~]  b  U 
T;  Al5  A2,  [A+  — °  B~]  b  u 


Figure  2.5:  Focused  intuitionstic  linear  logic 


The  persistent  context  of  a  focused  derivation  can  always  be  weakened  by  adding  more  per¬ 
sistent  resources.  This  weakening  property  can  be  phrased  as  an  admissible  rule,  which  we 
indicate  using  a  dashed  line: 

r;  a  b  u 

p"p7."^"P"jy  weaken 

In  developments  following  Pfenning’s  structural  cut  admissibility  methodology  [PfeOO],  it  is 
critical  that  the  weakening  theorem  does  not  change  the  structure  of  proofs:  that  the  structure  of 
the  derivation  T;  A  b  U_  is  unchanged  when  we  weaken  it  to  T,  T7;  A  b  U_.  It  turns  out  that  the 
development  in  this  chapter  does  not  rely  on  this  property. 

Suspended  propositions  ((A+)  and  (A-))  and  the  four  rules  that  interact  with  suspended 
propositions  ( id+ ,  id~,  r/+,  and  if)  are  the  main  nonstandard  aspect  of  this  presentation.  The 
rj+  and  if  rules,  which  allow  us  to  stop  decomposing  a  proposition  that  we  are  eagerly  de- 
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composing  with  invertible  rules,  are  restricted  to  atomic  propositions,  and  there  is  no  other  way 
for  suspended  propositions  to  be  introduced  into  the  context  with  rules.  It  seems  reasonable  to 
restrict  the  two  rules  that  capture  the  identity  principles,  id+  and  id~ ,  to  atomic  propositions 
as  well.  However,  the  seemingly  unnecessary  generality  of  these  two  identity  rules  makes  it 
much  easier  to  establish  the  standard  metatheory  of  this  sequent  calculus.  To  see  why  this  is 
the  case,  we  will  turn  our  attention  to  suspended  propositions  and  the  four  admissible  rules  (two 
focal  substitution  principles  and  two  identity  expansion  principles)  that  interact  with  suspended 
propositions. 

2.3.4  Suspended  propositions 

In  unfocused  sequent  calculi,  it  is  generally  possible  to  restrict  the  id  rule  to  atomic  propositions 
(as  shown  in  Figure  2.1).  The  general  id  rule,  which  concludes  T;  A  — »  A  for  all  propositions 
A,  is  admissible  just  as  the  cut  rule  is  admissible.  But  while  the  cut  rule  can  be  eliminated 
completely,  the  atomic  id  rule  must  remain.  This  is  related  to  the  logical  interpretation  of  atomic 
propositions  as  stand-ins  for  unknown  propositions.  All  sequent  calculi,  focused  or  unfocused, 
have  the  subformula  property:  every  rule  breaks  down  a  proposition,  either  on  the  left  or  the 
right  of  the  turnstile  “h”,  when  read  from  bottom  to  top.  We  are  unable  to  break  down  atomic 
propositions  any  further  (they  are  unknown),  thus  the  id  rule  is  necessary  at  atomic  propositions. 
If  we  substitute  a  concrete  proposition  for  some  atomic  proposition,  the  structure  of  the  proof 
stays  exactly  the  same,  except  that  instances  of  initial  sequents  become  admissible  instances  of 
the  identity  theorem. 

To  my  knowledge,  all  published  proof  systems  for  focused  logic  have  incorporated  a  focused 
version  of  the  id  rule  that  also  applies  only  to  atomic  propositions.  This  treatment  is  not  incorrect 
and  is  obviously  analogous  to  the  id  rule  from  the  unfocused  system.  Nevertheless,  I  believe  this 
to  be  a  design  error,  and  it  is  one  that  has  historically  made  it  unnecessarily  difficult  to  prove 
the  identity  theorem  for  focused  systems.  The  alternative  developed  in  this  chapter  is  the  use 
of  suspensions.  Suspended  positive  propositions  (/1+)  only  appear  in  the  linear  context  A,  and 
suspended  negative  propositions  (A-)  only  appear  as  succedents.  They  are  treated  as  stable  (we 
never  break  down  a  suspended  proposition)  and  are  only  used  to  immediately  prove  a  proposition 
in  focus  with  one  of  the  identity  rules  id+  or  id:  .  The  rules  id+  and  id~  are  more  general  focused 
versions  of  the  unfocused  id  rule.  This  extra  generality  does  not  influence  the  structure  of  proofs 
because  suspended  propositions  can  only  be  introduced  into  the  context  or  the  succedent  by  the 
?7+  and  if  rules,  and  those  rules  are  restricted  to  atomic  propositions. 

Suspended  positive  propositions  act  much  like  regular  variables  in  a  natural  deduction  sys¬ 
tem.  The  positive  identity  rule  id+  allows  us  to  prove  any  positive  proposition  given  that  the 
positive  proposition  appears  suspended  in  the  context.  There  is  a  corresponding  substitution  prin¬ 
ciple  for  focal  substitutions  that  has  a  natural-deduction-like  flavor:  we  can  substitute  a  derivation 
right-focused  on  A+  for  a  suspended  positive  proposition  (/1+)  in  a  context. 
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Theorem  2.1  (Focal  substitution  (positive)). 

7/T;  A  b  [A+]  and  T;  A(,  (A+)  b  U,  then  T;  A,Ah  U. 

Proof.  Straightforward  induction  over  the  second  given  derivation,  as  in  a  proof  of  regular  sub¬ 
stitution  in  a  natural  deduction  system.  If  the  second  derivation  is  the  axiom  id+,  the  result 
follows  immediately  using  the  first  given  derivation.  □ 

As  discussed  above  in  Section  2.3.3,  because  we  only  consider  focused  sequents  that  are  other¬ 
wise  stable,  we  assume  that  A  in  the  statement  of  Theorem  2.1  is  stable  by  virtue  of  it  appearing 
in  the  focused  sequent  T;  A  b  [A+].  The  second  premise  F:  A/,  (A+)  b  U_,  on  the  other  hand, 
may  be  a  right-focused  sequent  T;  A',  (A+)  b  [B+],  a  left-focused  sequent  T;  A",  [B~],  (A+)  b 
f/,  or  an  inverting  sequent. 


Suspended  negative  propositions  are  a  bit  less  intuitive  than  suspended  positive  propositions. 
While  a  derivation  of  T ;  ZY,  (A+)  b  U_  is  missing  a  premise  that  can  be  satisfied  by  a  derivation 
of  T;  A  b  [A+],  a  derivation  of  T;  A  b  (A-)  is  missing  a  continuation  that  can  be  satisfied  by 
a  derivation  of  T;  A',  [A-]  b  U .  The  focal  substitution  principle,  however,  still  takes  the  basic 
form  of  a  substitution  principle. 


Theorem  2.2  (Focal  substitution  (negative)). 

7/T ;  A  b  (A“)  and  T;  A',  [A“]  b  U,  then  T;  A',  Abb 


Proof.  Straightforward  induction  over  the  first  given  derivation;  if  the  first  derivation  is  the  axiom 
id~ ,  the  result  follows  immediately  using  the  second  given  derivation.  □ 


Unlike  cut  admissibility,  which  we  discuss  in  Section  2.3.6,  both  of  the  focal  substitution 
principles  are  straightforward  inductions  over  the  structure  of  the  derivation  containing  the  sus¬ 
pended  proposition.  As  an  aside,  when  we  encode  the  focused  sequent  calculus  for  persistent 
logic  in  LF,  a  suspended  positive  premise  can  be  naturally  encoded  as  a  hypothetical  right  fo¬ 
cus.  This  encoding  makes  the  id+  rule  an  instance  of  the  hypothesis  rule  provided  by  LF  and 
establishes  Theorem  2.1  “for  free”  as  an  instance  of  LF  substitution.  This  is  possible  to  do  for 
negative  focal  substitution  as  well,  but  it  is  counterintuitive  and  relies  on  a  peculiar  use  of  LF’s 
uniform  function  space  [Siml  1]. 

The  two  substitution  principles  can  be  phrased  as  admissible  rules  for  building  derivations, 
like  the  weaken  rule  above: 


T;  A  b  [A+]  T ;  ZY,  (A+)  b  U_ 
. UAA 'AbU . 


subst+ 


r;Ab(A-)  r;  A',  [A-]  b  u 
. f:"A7,"A"b"u . 


subst 


Note  the  way  in  which  these  admissible  substitution  principles  generalize  the  logic:  subst+ 
or  subst~  are  the  only  rules  we  have  discussed  that  allow  us  to  introduce  non-atomic  suspended 
propositions,  because  only  atomic  suspended  propositions  are  introduced  explicitly  by  rules  rj+ 
and  7]~ . 
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2.3.5  Identity  expansion 

Suspended  propositions  appear  in  Figure  2.5  in  two  places:  in  the  identity  rules,  which  we  have 
just  discussed  and  connected  with  the  focal  substitution  principles,  and  in  the  rules  marked  r/+ 
and  r]~,  which  are  also  the  only  mention  of  atomic  propositions  in  the  presentation.  It  is  here  that 
we  need  to  make  a  critical  shift  of  perspective  from  unfocused  to  focused  logic.  In  an  unfocused 
logic,  the  rules  nondeterministically  break  down  propositions,  and  the  initial  rule  id  puts  an  end 
to  this  process  when  an  atomic  proposition  is  reached.  In  a  focused  logic,  the  focus  and  inversion 
phases  must  break  down  a  proposition  all  the  way  until  a  shift  is  reached.  The  two  r/  rules  are 
what  put  an  end  to  this  when  an  atomic  proposition  is  reached,  and  they  work  hand-in-glove  with 
the  two  id  rules  that  allow  these  necessarily  suspended  propositions  to  successfully  conclude  a 
right  or  left  focus. 

Just  as  the  id  rule  is  a  particular  instance  of  the  admissible  identity  sequent  Y ;  A  — »  A  in 
unfocused  linear  logic,  the  atomic  suspension  rules  77 +  and  //“  are  instances  of  an  admissible 
identity  expansion  rule  in  focused  linear  logic: 

r;A,(A+)hC/  r;Ah{A-> 

,,  ,, 

In  other  words,  the  admissible  identity  expansion  rules  allow  us  to  act  as  if  the  //+  and  r/~  rules 
apply  to  arbitrary  propositions,  not  just  atomic  propositions.  The  atomic  propositions  must  be 
handled  by  an  explicit  rule,  but  the  general  principle  is  admissible. 

The  two  admissible  identity  expansion  rules  above  can  be  rephrased  as  an  identity  expansion 
theorem: 


Theorem  2.3  (Identity  expansion). 

*  IfY ;  A,  (A+)  h  U,  then  T;  A,  A+  h  U. 

*  IfY ;  A  h  ( A~ ),  then  T;  A  h  A~. 

Proof.  Mutual  induction  over  the  structure  of  the  proposition  A+  or  A~,  with  a  critical  use  of 
focal  substitution  in  each  case. 

Most  of  the  cases  of  this  proof  are  represented  in  Figure  2.6.  The  remaining  case  (for  the 
multiplicative  unit  1)  is  presented  in  Figure  2.7  along  with  the  cases  for  the  additive  connectives 
0,  ©,  T,  and  &,  which  are  neglected  elsewhere  in  this  chapter.  (Note  that  in  Figures  2.6  and  2.7 
we  omit  polarity  annotations  from  propositions  as  they  are  always  clear  from  the  context.)  □ 


The  admissible  identity  expansion  rules  fit  with  an  interpretation  of  positive  atomic  proposi¬ 
tions  as  stand-ins  for  arbitrary  positive  propositions  and  of  negative  atomic  propositions  as  stand- 
ins  for  negative  atomic  propositions:  if  we  substitute  a  proposition  for  some  atomic  proposition, 
all  the  instances  of  atomic  suspension  corresponding  to  that  rule  become  admissible  instances  of 
identity  expansion. 

The  usual  identity  principles  are  corollaries  of  identity  expansion: 


F;  <A+)  h  [A+ 


r;  (A+)  h  A+ 
Y:A~. . Ar 


id~ 

focus 


R 


F;  [A-]  h  {A~) 
r;A-\-(A-) 

'T:1-"F1 . 


id 

focus L 

V~ 
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V 

T-A,(iA)\-U 

'T-XPTT'  n 


r;  [A]  F  (A) 
"fi'IT'p)' 
Y-aV'a 
t-,a\-[ia] 


id 

focus  L 


V 

Ir 


r;A,(M)hC/ 


r;A,ih[/ 
r;A,|rib  U 


subst+ 


F;  A,  (fA)  F  U 

T- a TaTu  v 


T,A;  [A]\-{A) 


id 


r  ,A-,-h(A) 
Y"a-'T'a 
y.a 


copy 

r;  A,  ('Cl)  F  U 

F  [!ri]  IF A:  A,(!Aj'ht/ 

f,"I;"AT"t/ . 


V 

■R 


T-A,\AhU 


!  i 


weaken 

subst+ 


V 

r-,A,(A®B)  F  U 
YCa"a®b Vu"  V 


F;  (A)  I-  [A]  r;  (ff)  f  [B]  v 

r-,{A),(B)h[A®B\  JR  T;A,(A®B)\-U 

. f- 'aJa)T(b)T'u .  subst+ 

T;  'K7(A)Tb Tu  f 

^  "r; x;a"bTu  '' 

F;A,A<8>B\-U  ® L 


r;Ah(t  A) 

"f:  A  h”t^4 


r;  (-4)  I-  [A\ 

F;  (^4)  I-  A 

r;  a  h  (|A)  r;  [t ~A]  f  a 
. . 

F:  A  h  t/4 


id+ 

focus R 

r/+ 

Tl 

subst~ 


V 

r;Ah(i^B) 
"f;'A  h'X^Ts'  ?? 


V 

r-,Ah  (A 


r;  (A)  h  [A]  ?d+ 
b)  r;(A),[A^ 
""f';"A;"(I)"h"(j3> . 7 

r;^A”<-:i>T  ;/ 

"F:  A^  h  '/i  "  ?? 
r;Ahi-^B  ^ 


r;  [s]  f  (s) 

5]  I-  (B)  “  ' 

.  subst 


Figure  2.6:  Identity  expansion  -  restricting  77 +  and  //  to  atomic  propositions 
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V 

F;A,(l)h  u 
T;  A^l  'h  C/'  T/ 


subst+ 


r;-h[i]1/?  r;  a,  (i)  i-  ?7 

. r-A'h'f/' . . . 

r;  a,i  h  u  1l 


v 

r;  a,  (o)  (-  u  + 

T- Aj'o'P u  71  =^r;A,oh[/ 


V 

T;A,(A®B)  P  U 

'"f ;'a7a ©bT'c/"  ?? 


r;  (A)  !-[■*]  a+  j, 

r;  A,  (A)  I-  [A®  B]  R1  T;  A,  {A  ©  B)  h  U 

. T;A"(A)Vu . . .  subst+  : 

Y-KJ^U  v  r;  a ,'b\-u 

= T;A,AeBhU  ®L 


V 
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f ;  A  h  T  r/  T;  A  h  T  R 


V 

T;  A  h  (A&  B) 

T;' A"r"A&' B"  V 


v  F;  [A]  h  (A)  “ 

r;  A  h  (A  8(B)  r-,[A&B]h(A) 
. f-Ah(A} . . . 

r;Ah  a  71 


&L1 

subst 


r;Ahi&B 


r;  Ah  B 

-  &R 


Figure  2.7:  Identity  expansion  for  units  and  additive  connectives 

2.3.6  Cut  admissibility 

Cut  admissibility,  Theorem  2.4  below,  mostly  follows  the  well-worn  contours  of  a  structural  cut 
admissibility  argument  [PfeOO].  A  slight  inelegance  of  the  proof  given  here  is  that  some  very 
similar  cases  must  be  considered  more  than  once  in  different  parts  of  the  proof.  The  right  com¬ 
mutative  cases  -  cases  in  which  the  last  rule  in  the  second  given  derivation  is  an  invertible  rule 
that  is  not  decomposing  the  principal  cut  formula  A+  -  must  be  repeated  in  parts  1  and  4,  for 
instance.  (Pfenning’s  classification  of  the  cases  of  cut  admissibility  into  principal,  left  commuta¬ 
tive,  and  right  commutative  cuts  is  discussed  in  Section  3.4.)  In  addition  to  this  duplication,  the 
proof  of  part  4  is  almost  identical  in  form  to  the  proof  of  part  5.  The  proof  of  cut  admissibility  in 
the  next  chapter  will  eliminate  both  forms  of  duplication. 

The  most  important  caveat  about  cut  admissibility  is  that  it  is  only  applicable  in  the  absence  of 
any  non-atomic  suspended  propositions.  If  we  did  not  make  this  restriction,  then  in  Theorem  2.4, 
part  1,  we  might  encounter  a  derivation  of  T;  (A  ®  B)  h  [A®  B\  that  concludes  with  id+  being 
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cut  into  the  derivation 


S 


T;  A',  A,B  h  U 

- - - - 

T]A',A®B\-U  R 


in  which  case  there  is  no  clear  way  to  proceed  and  prove  T;  A',  (A  0  B)  b  U. 

Theorem  2.4  (Cut  admissibility).  For  all  T,  A+,  A~ ,  A,  A',  and  U  that  do  not  contain  any 
non-atomic  suspended  propositions: 

1.  IfT ;  A  b  [A+]  and  V ;  A',  A+  b  U  (where  A  is  stable),  then  V ;  A',  Abb. 

2.  IfT ;  A  b  A~  and  T ;  A',  [. A~ ]  b  U  (where  A,  A',  and  U  are  stable ),  then  T ;  A',  Abb. 

3.  IfT ;  A  b  A+  and  T ;  A',  A+  b  U,  (where  A'  and  U  are  stable),  then  T ;  A',  Abb. 

4.  7/T ;  A  b  A~  and  T ;  A\  A-  b  U_>  (where  A  A  stable),  then  T ;  A\  Abb. 

5.  7/T;  •  b  A~  and  T,  A~;  A^bb,  T;  A(  b  U. 

Parts  1  and  2  are  where  most  of  the  action  happens,  but  there  is  a  sense  in  which  the  necessary 
cut  admissibility  property  is  contained  in  structure  of  parts  3,  4,  and  5  -  these  are  the  cases  used 
to  prove  the  completeness  of  focusing  (Theorem  2.6).  The  discrepancy  between  the  stability 
restrictions  demanded  for  part  1  and  part  2  is  discussed  below;  this  peculiarity  is  justified  by  the 
fact  that  these  two  parts  need  only  be  general  enough  to  prove  parts  3,  4,  and  5. 

Proof.  The  proof  is  by  induction:  in  each  invocation  of  the  induction  hypothesis,  either  the 
principal  cut  formula  A+  or  A~  gets  smaller  or  else  it  stays  the  same  and  the  “part  size”  (1-5) 
gets  smaller.  When  the  principal  cut  formula  and  the  part  size  remain  the  same,  either  the  first 
given  derivation  gets  smaller  (part  3)  or  the  second  given  derivation  gets  smaller  (parts  1,  4  and 


5). 


This  termination  argument  is  a  refinement  of  the  standard  structural  termination  argument  for 
cut  admissibility  in  unfocused  logics  [PfeOO]  -  in  part  3,  we  don’t  need  to  know  that  the  second 
given  derivation  stays  the  same  size,  and  in  parts  1,  4,  and  5  we  don’t  need  to  know  that  the  first 
given  derivation  stays  the  same  size.  This  refined  termination  argument  is  the  reason  that  we  do 
not  need  to  prove  that  admissible  weakening  preserves  the  structure  of  proofs. 

We  schematically  present  one  or  two  illustrative  cases  for  each  part  of  the  proof. 

Part  1  (positive  principal  cuts,  right  commutative  cuts) 

(Ai,  A2  stable  are  stable  by  assumption) 


V2 


r;A!b[A+]  T;  A2  b  [A^]  T; 
— 3—; — : — ; — ttz rz; —  ~ 


T;Ai,A2  b  [A+<g>A+]  T; 


T ;  A',  Ai,  A2  b  u 


cut(l) 

V2 


Vi 

T;  Ax  b  [A\ 
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(A  is  stable  by  assumption) 


£’ 

v  r-,A',B?,B+,A+hU 

r;Ab[,4+]  T-A',B+®B+,A+  b  u 
T;  A',  B+  ®  B+Ah  U 


®L 

cut(l) 


V  £' 

r;Ah[4+]  r-A',B+,B+,A+  b  U 

r;A  ',B+,B+,AhU 

=>•  - - - — - - -  <g)r 

T-,A',B+  ®B+,A\~U 


cut(l) 


Part  2  (negative  principal  cuts) 

(A,  A',  A’a,  and  U  arc  stable  by  assumption) 


V  £\  £2 

T;  A,  Af  b  Af  ^  T;A'Ah[Aj]  T-A',[Af]^U 

T;AhA+^>Af  r;A',A'„[4-.i2-]h[/ 

. T::A;7a7,7a':' 'r .  c" 1  ’ 

r^Lvi ;.! . DAdLLS  cut(1)  ^ 

^  r;A',AhA2-  ^  F;  A',  [Alf }  b  U 

. r- a^a^  aT' t/ . (  ’ 


Part  3  (left  commutative  cuts) 

(A'  and  U  arc  stable  by  assumption,  A  is  stable  by  the  side  condition  on  rule  focus f j) 


V 

r;Ab  [A+] 
T:  A  b  A+ 


focus R 


£ 

T;  A',A+  b  U 


r;A',A  b  U 


cut (3) 


V 

r;  A  b  [A+] 


£ 

T-,A',A+  b  U 


r;A',Ab  u 


cut(l ) 


( A ’  and  U  arc  stable  by  assumption) 


V 

t-a,b+,b+  bbi+ 

— - — ! — — — - ®T  £ 

r;  A,  B+  <g>  B+  b  A+  r;A',bl+bl7 
r;  A',  A,  B+  <g>  B+  b  A+ 


cut(3) 


V  £ 

r;A,B1+,B+bA+  r;A',A+bt/ 

. . 

=>  - - - - - 1 -  (g )T 

r;  A',  A,  Bf  <g)  b  A+ 


cut (3) 
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(r)° 

(A)° 

(uy 

(0°  =  • 

(0°  =  • 

(A-y  =  (a-) 

(T,A-)°  =  (T)°,(A-)° 

(A,A+)°  =  (A  )°,(A+)° 

(A+y  =  (A+) 

(A,  A~)°  =  (A  )°,(A-)° 

([A+])°  =  (A+) 

(A,  [A-])0  =  (A )°,(A~)° 
(A,  (p+))°  =  (A)°,p+ 

(C v  ))°  =  p 

Figure  2.8:  Lifting  erasure  and  polarization  (Figure  2.3)  to  contexts  and  succeedents 


Part  4  (right  commutative  cuts) 

(A  is  stable  by  assumption.  A'  and  U  arc  stable  by  the  side  condition  on  rule  focus  R) 


S' 

T-,A',[A~]YU 
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T;AF  A~  r;A',A 
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F  U 


focus  R 
cut  (4  ) 
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r;A',Ah  u 


cut  (2) 


Part  5  (persistent  right  commutative  cuts) 


V 

T;  •  F  A~ 


£' 

I  .  ,1  p  F  B~ 


"hji  b~ 


F  [\B- 


■R 

cut(5) 


V  S' 

T;-\-A~  r,  A~;  ■  F  B~ 

. "r  ;"-T"F . j . 

r;  •  f  [\b-]  'R 


cut (5) 


All  the  other  cases  follow  the  same  pattern.  □ 

As  noted  above,  there  is  a  notable  asymmetry  between  part  1  of  the  theorem,  which  does  not 
require  stability  of  A'  and  U  in  the  second  given  derivation  Y ;  A \A+  F  U,  and  part  2  of  the 
theorem,  which  does  require  stability  of  A  in  the  first  given  derivation  T;  A  F  A~.  The  theorem 
would  still  hold  for  non- stable  A,  but  we  do  not  need  the  more  general  theorem,  and  the  less 
general  theorem  is  easier  to  prove  -  it  allows  us  to  avoid  duplicating  the  left  commutative  cuts 
between  parts  2  and  3.  On  the  other  hand,  we  cannot  make  the  theorem  more  specific,  imposing 
extra  stability  conditions  on  part  1,  without  fixing  the  order  in  which  invertible  rules  are  applied. 
Fixing  the  order  in  which  invertible  rules  are  applied  has  some  other  advantages  as  well;  this  is  a 
point  we  will  return  to  in  Section  2.3.8. 

2.3.7  Correctness  of  focusing 

Now  we  will  prove  the  correctness  property  for  the  focused,  polarized  logic  that  we  discussed  in 
Section  2.3.1:  that  there  is  an  unfocused  derivation  of  ( /l+)°  or  (A_)°  if  and  only  if  there  is  a 
focused  derivation  of  A+  or  /V  .  The  proof  requires  us  to  lift  our  erasure  function  to  contexts  and 
succedents,  which  is  done  in  Figure  2.8.  Note  that  erasure  is  only  defined  on  focused  sequents 
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T;  A  b  U_  when  all  suspended  propositions  are  atomic.  We  are  justified  in  making  this  restriction 
because  non-atomic  suspended  propositions  cannot  arise  in  the  process  of  proving  a  proposition 
A+  or  A~  in  an  empty  context,  and  we  are  required  to  make  this  restriction  due  to  the  analogous 
restrictions  on  cut  admissibility  (Theorem  2.4). 

Theorems  2.5  and  2.6  therefore  implicitly  carry  the  same  extra  condition  that  we  put  on  the 
cut  admissibility  theorem:  that  A  and  U  must  contain  only  atomic  suspended  propositions. 


Theorem  2.5  (Soundness  of  focusing).  If  T;  A  b  f/,  then  T°;  A°  — >  U°. 

Proof.  By  straightforward  induction  on  the  given  derivation;  in  each  case,  the  result  either  fol¬ 
lows  directly  by  invoking  the  induction  hypothesis  (in  the  case  of  rules  like  j" R )  or  by  invoking 
the  induction  hypothesis  and  applying  one  rule  from  Figure  2.1  (in  the  case  of  rules  like  ®r)-  □ 

Theorem  2.6  (Completeness  of  focusing).  7/T°;  A°  — >•  U°,  where  A  and  U  are  stable,  then 
T;  A  b  U. 

Proof  By  induction  on  the  first  given  derivation.  Each  rule  in  the  unfocused  system  (Figure  2.1) 
corresponds  to  one  unfocused  admissibility  lemma ,  plus  a  some  extra  steps. 

These  extra  steps  arise  are  due  to  the  generality  of  erasure.  If  we  know  that  IA  =  (C+)° 
(as  in  the  case  for  \R  below),  then  by  case  analysis  on  the  structure  of  C+,  C+  must  be  either 
!  B  (for  some  £?”)  or  fCf  (for  some  Cf ).  In  the  latter  case,  by  further  case  analysis  on  Cf 
we  can  see  that  Cf  must  equal  fCf  (for  some  Cf).  But  then  Cf  can  be  either  \Bf  or  f  Cf ;  in 
the  latter  case  C+  =  ITfCf ,  and  this  can  go  on  arbitrarily  long  (but  not  forever,  because  C~  is 
a  finite  term).  So  we  say  that,  by  induction  on  the  structure  of  C+,  there  exists  an  A~  such  that 
C+  =  ft . . .  j/|4 A-  and  A  =  (A~)°.  Depending  on  the  case,  we  then  repeatedly  apply  either  the 
rule  or  the  Iff  rule,  both  of  which  are  derived  below,  to  eliminate  all  the  extra  shifts.  (Zero 
or  more  instances  of  a  rule  are  indicated  by  a  double-ruled  inference  rule.) 


T;Ab#  ^ 
T;  A  b  f|A+  ^'R 


T;AbA+ 
T;  A  b  fA+ 
T;Ab[jt4+] 
T;  A  b  f|A+ 


t  R 
‘  \-R 

-  focus R 


r;  A,  A~  b  U 

r;A,tA4-  b  u  Ul 


T;  A,  A~  b  U 
T;  A,fA~  b  U 
F;  A,  [t|A-]  b  U 
T;A,tA4-  b  U 


tL 

focus L 


We  will  describe  a  few  cases  to  illustrate  how  unfocused  admissibility  lemmas  work. 

Rule  copy:  We  are  given  T°,  A;  A°,  A  — >■  U°,  which  is  used  to  derive  T°,  A;  A°  — ^  U°.  We 
know  A  =  (A“)°.  By  the  induction  hypothesis,  we  have  T,  A~ ;  A,  A~  b  U,  and  we  conclude 
with  the  unfocused  admissibility  lemma  copyu: 


r,A-;[A-]b(A~) 
r,A-;.b(A-> 
’7\  A-7T1 . '• 


id 

copy 


T,  A~-  A,  A~  b  U 


T,A~]  A  b  U 


cut{f) 


Rule  \l'.  We  are  given  T0,A;A°  — >  U°,  which  is  used  to  derive  T0;A°,!A  — >  U°. 
We  know  l A  =  (C“)°;  by  induction  on  the  structure  of  C~  there  exists  A~  such  that  C~  = 
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•  IV-A  .  By  the  induction  hypothesis,  we  have  T,  A  ;A  h  (/,  and  we  conclude  by  the 
unfocused  admissibility  lemma  \ul,  which  is  derivable: 


r,  A~-  A  I-  u 


r;  A,!A-  b  u 


1 1 


r;  A,  ft\A~]  b  U  [L 

JOCUS 


t-,a,V-A~  h  u 
r; A,t|..4t!^  h u 


n 


L 

L 


Rule  \r:  We  are  given  T°;  ■  — y  A,  which  is  used  to  derive  T°;  •  — y  \A.  We  know  \A  = 
(C+)°;  by  induction  on  the  structure  of  C+  there  exists  A~  such  that  C+  =  4-t  •  •  •  By 

the  induction  hypothesis,  we  have  T;  •  h  fA~,  and  we  conclude  by  the  unfocused  admissibility 
lemma  \uR : 


TMA-M-]^n'focusL 
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ZT  ArL 
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r,UA- 
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copy 
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r>b  \a~ 

r;  •  b  it  •  •  •  IV- a~  ^ R 


■R 

focus R 
cut (5) 


Rule  — oL:  We  are  given  T°;  Aa  — y  A  and  T°;  A°,  B  — y  U°,  which  are  used  to  derive 
r°;  Aa,  A°,  A  — o  B  — y  U.  We  know  A  — o  B  =  (C_)°;  by  induction  on  the  structure  of  C~ 
there  exist  A+  and  B~  such  that  A  =  (A+)°,  B  =  (. B~)° ,  and  C~  —  ti-  •  •  tl(^+  — °  B~). 
By  the  induction  hypothesis,  we  have  Y ;  Aa  b  A+  and  Y ;  A,  B~  b  U,  and  we  conclude  by  the 
unfocused  admissibility  lemma  -«ul- 


r;  yv)  i-  [a+] 
r;  {j4+),  [a 


!d+  r;  [B~\  h  (B~)  li 


R 

zr  focus R 


T;AAhA+ 

. Y-Aa,A+ 


r;  (A+),A+- 

*B~  b  ( B- ) 

r;A+)A+- 

-O  B~  b  5“ 

r  -,(A+),A+- 

o  5-  b  [+£-] 

T;  (A+},A+- 

-0  £“  b 

Y;A+,A+  -« 

5  5-  b  IB- 

B 


cut (3) 


Y]  A,  B~  b  U 


b  IB~ 

. i'TA'7”A"Tr:''^'7} . Tu . 

r;AA,A,n...n(bi+-JB-)bf/ 


r;  A ,\B~  b  u 

- 1 4-l 


B~ 
cut(  3) 
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Rule  —or:  We  are  given  T°;  A°,  A  — >  B,  which  is  used  to  derive  T°;  A°  — >  A  —°  B.  We 
know  A  B  =  (C+)°;  by  induction  on  the  structure  of  C+  there  exist  A+  and  B~  such  that 
A  =  (A+)°,  B  =  (B~)°,  and  C+  =  |t  -  •  -  -°  B~).  By  the  induction  hypothesis,  we 

have  T ;  A,  f A+  b  fB+,  and  we  conclude  by  the  unfocused  admissibility  lemma  — o uR: 


T;  A,t^+  b  IB' 
r;  A,ti4+  b  ub 


r;  A,  tfA+  i-  UB 


—  Tr 
~  II 


r-  (A+)  b  [a+ 


r;  (A+)  b  a+ 
r;  (A+)  b  tA+ 
r;  (bl+)  b  [itA4 


id+ 

focusR 

t 


id~ 


n  m  H  focuSL 


T;B- 


R 


I 


r;|5 


^(B~) 

~  -vl 


R 


\-(B~) 
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r;  i-  (B~) 


r;W4- 

"bitF'- 

'TITF 


ne~,  (A+)  h  (B-) 


Ub-,(a+)^b- 
o  f  j  B  .  /I  :  b  /  j 


r;  |^4+  -o  b  a+ 


£- 


f;Ab  -o 


3  R 


r;  UB~  b  [|(A+  -k>  5-) 


°R 


r;  lt^+ 

"f;A"b"|(A+"^"F 


r;A  b|t---tl(bi+  ~oB~) 


UB-  b  i{  A  1 

37  iT.R 


5-) 


—  focus 


R 


cut (A) 


All  the  other  cases  follow  the  same  pattern. 


□ 


2.3.8  Confluent  versus  fixed  inversion 

A  salient  feature  of  this  presentation  of  focusing  is  that  invertible,  non-focused  rules  need  not 
be  applied  in  any  particular  order.  Therefore,  the  last  step  in  a  proof  of  T;  A,  A  0  B,  1,  \C  b 
D  — o  E  could  be  ®L,  1L  \L,  or  — °R.  The  style  is  exemplified  by  Liang  and  Miller’s  LJF  [LM09], 
and  the  confluent  presentation  in  this  chapter  is  closely  faithful  to  Pfenning’s  course  notes  on 
linear  logic  [Pfel2c]. 

Allowing  for  this  inessential  nondeterminism  simplifies  the  presentation  a  bit,  but  it  also 
gets  in  the  way  of  effective  proof  search  and  canonical  derivations  if  we  do  not  address  it  in 
some  way.  The  different  possibilities  for  addressing  this  nondeterminism  within  an  inversion 
phase  echo  the  discussion  of  nondeterminism  in  LF  from  the  beginning  of  the  chapter.  We  can, 
as  suggested  in  that  discussion,  declare  that  all  proofs  which  differ  only  by  the  order  of  their 
invertible,  non-focused  rules  be  treated  as  equivalent.  It  is  possible  to  establish  that  all  possible 
inversion  orderings  will  lead  to  the  same  set  of  stable  sequents,  which  lets  us  know  that  all  of 
these  reorderings  do  not  fundamentally  change  the  structure  of  the  rest  of  the  proof.  This  property 
already  seems  to  be  necessary  to  prove  unfocused  cut  as  expressed  by  this  admissible  rule: 

T;  A  b  A  r ;  A',  A\~  U 

. r";  aVa  Tu .  cut 

(where  A  is  A+  or  A~  and  A,  A7,  and  U  contain  no  focus  but  may  not  be  stable).  If  A  is 
A+,  proving  the  admissibility  of  this  rule  involves  permuting  invertible  rules  in  the  second  given 
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derivation,  Y ;  A',  A+  F  U,  until  A+  is  the  only  unstable  part  of  the  second  sequent,  at  which 
point  part  3  of  Theorem  2.4  applies.  Similarly,  if  A  is  A~,  we  must  permute  invertible  rules  in 
the  first  given  derivation  until  A~  is  the  only  unstable  part  of  the  first  sequent,  at  which  point  part 
4  of  Theorem  2.4  applies. 

By  proving  and  using  this  more  general  cut  property,  it  would  be  possible  to  prove  a  more 
general  completeness  theorem:  if  T°;  A°  — »  U°,  then  T:  A  F  U  (Theorem  2.6  as  stated  also 
requires  that  A  and  U  be  stable).  The  cases  of  this  new  theorem  corresponding  to  the  unfocused 
rules  \r,  —or,  and  0/\,  which  required  the  use  of  doubly-shifted  side  derivations  in  our  presen¬ 
tation,  are  trivial  in  this  modified  presentation.  Unfortunately,  the  proof  of  unfocused  cut,  while 
simple,  is  tedious  and  long.  Gentzen’s  original  proof  of  cut  admissibility  [Gen35]  and  Pfenning’s 
mechanization  [PfeOO]  both  scale  linearly  with  the  number  of  connectives  and  rules  in  the  logic; 
the  proofs  of  identity  expansion,  cut  admissibility,  soundness  of  focusing,  and  completeness  of 
focusing  presented  in  this  chapter  do  too.  There  is  no  known  proof  of  the  unfocused  admissibly 
of  the  rule  cut  above  that  scales  linearly  in  this  way:  all  known  proofs  grow  quadratically  with 
the  number  of  connectives  and  rules  in  the  logic. 

Once  we  equate  all  proofs  that  differ  only  on  the  order  in  which  inference  rules  are  applied 
within  an  inversion  phase,  we  can  pick  some  member  of  each  equivalence  class  to  serve  as  a 
canonical  representative;  this  will  suffice  to  solve  the  problems  with  proof  search,  as  we  can 
search  for  the  canonical  representatives  of  focused  proofs  rather  than  searching  within  the  larger 
set  of  all  focused  proofs.  The  most  common  canonical  representatives  force  invertible  rules  to 
decompose  propositions  in  a  depth-first  ordering. 

Then,  reminiscent  of  the  move  from  LF  to  Canonical  LF,  the  logic  itself  can  be  restricted  so 
that  only  the  canonical  representatives  are  admitted.  The  most  convenient  way  of  forcing  a  left¬ 
most,  depth-first  ordering  is  to  isolate  the  invertible  propositions  ( A+  on  the  left  and  /T  on  the 
right)  in  separate,  ordered  inversion  contexts,  and  then  to  only  work  on  the  left-most  proposition 
in  the  context.  This  is  the  way  most  focused  logics  are  defined,  including  those  by  Andreoli, 
Chaudhuri,  and  myself  in  the  next  chapter.  This  style  of  presenting  a  focusing  logic  can  be  called 
a  fixed  presentation,  as  the  inversion  phase  is  fixed  in  a  particular,  though  fundamentally  arbitrary, 
shape. 

The  completeness  of  focusing  for  a  fixed  presentation  of  focusing  is  implied  by  the  com¬ 
pleteness  of  focusing  for  a  confluent  presentation  of  the  same  logic  along  with  the  appropriate 
confluence  property  for  that  logic,  whereas  the  reverse  is  not  true.  In  this  sense,  the  confluent 
presentation  allows  us  to  prove  a  stronger  theorem  than  the  fixed  presentation  does,  though  the 
fixed  presentation  will  be  sufficient  for  our  purposes  here  and  in  later  chapters.  We  will  not  prove 
confluence  in  this  chapter,  though  doing  so  is  a  straightforward  exercise. 


2.3.9  Running  example 

Figure  2.9  gives  the  result  of  taking  our  robot  example,  Figure  2.2,  through  the  polarization 
process  and  then  running  the  result  through  Theorem  2.6.  There  is  indeed  only  one  proof  of 
this  focused  proposition  up  to  the  reordering  of  invertible  rules,  and  only  one  proof  period  if  we 
always  decompose  invertible  propositions  in  a  left-most  (i.e.,  depth-first)  ordering  as  we  do  in 
Figure  2.9. 
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F;  (battery)  b  [battery] 


id+ 


T ;  (robot)  b  [robot] 
T;  (robot)  b  robot 
T;  robot  b  robot 
T;  ['['robot]  b  robot 


id H 
focus 
r]+ 

Tl 


R 


T;  (battery),  [battery  — o  '['robot]  b  robot 


T;  battery  — 

o  j'robot,  (battery)  b  robot 

T ;  battery  - 

-o  j'robot,  battery  b  robot 

r;  (6bucks)  b  [6bucks]  1 

T ;  battery  — 

3  j'robot,  [j'battery]  b  robot 

T;  (6bucks),  battery  — 

o  j'robot,  [6bucks 

-o  j'battery]  b  robot 

J  copy 

focus j 
V+ 

tL 


ti? 


T;  (6bucks),  battery  — o  '['robot  b  robot 
T;  (6bucks),  battery  — o  j'robot  b  j'robot 
T;  (6bucks),  j,(battery  — o  '['robot)  b  'I'robot 
T;  6bucks,  ^(battery  — o  'I'robot)  b  '['robot 
T;  6bucks  (g)  ^(battery  — o  '['robot)  b  'I'robot 
•;  !(6bucks  — o  j'battery),  6bucks  (g )  ^(battery  — o  '['robot)  b  'I'robot 
•;  !(6bucks  — o  j'battery)  <g)  6bucks  <g)  j,(battery  — o  'I'robot)  b  'I'robot 


II 

7]+ 


®L 


•;  •  b  !(6bucks  — 

o  j'battery)  ®  6bucks  Cg)  j,(battery  — °  j'robot)  

o  j'robot 

•;  •  b  [j,(!(6bucks  - 

-o  j'battery)  <g)  6bucks  <g)  j,(battery  — o  j'robot)  - 

-o  j'robot)] 

b  J,(!(6bucks  fbattery)  8D  6bucks  ®  ^(battery  — °  frobot)  — o  'I'robot) 


°R 

focus R 


Figure  2.9:  Proving  that  a  focused  transition  is  possible  (where  we  let  T  =  6bucks  — o  fbattery) 


We  have  therefore  successfully  used  focusing  to  get  a  canonical  proof  structure  that  correctly 
corresponds  to  our  informal  series  of  transitions: 


$6(1) 

bcittery-less  robot  (1) 

turn  $6  into  a  battery 
(all  you  want ) 


battery  (1) 

battery-less  robot  (1) 

turn  $6  into  a  battery 
(all  you  want ) 


robot  (1) 

turn  $6  into  a  battery 
(all  you  want) 


But  at  what  cost?  Figure  2.9  contains  a  fair  amount  of  bureaucracy  compared  to  the  original 
Figure  2.2,  even  if  does  a  better  job  of  matching,  when  read  from  bottom  to  top,  the  series  of 
transitions.  A  less  cluttered  way  of  looking  at  these  proofs  is  in  terms  of  what  we,  following 
Chaudhuri,  call  synthetic  inference  rules  [Cha08]. 


2.4  Synthetic  inference  rules 

Synthetic  inference  rules  were  introduced  by  Andreoli  as  the  derivation  fragments  associated 
with  bipoles.  A  monopole  is  the  outermost  negative  (or  positive)  structure  of  a  proposition,  and 
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a  bipole  is  a  monopole  surrounded  by  positive  (or,  respectively,  negative)  propositions  [AndOl]. 
In  a  polarized  setting,  bipoles  capture  the  outermost  structure  of  a  proposition  up  to  the  second 
occurrence  of  a  shift  or  an  exponential. 

The  first  idea  behind  synthetic  inference  rules  is  that  the  most  important  sequents  in  a  polar¬ 
ized  sequent  calculus  are  stable  sequents  where  all  suspended  propositions  are  atomic.  This  was 
reflected  by  our  proof  of  the  completeness  of  focusing  (Theorem  2.6),  which  was  restricted  to 
stable  sequents.7  The  second  idea  is  that  the  bottom-most  rule  in  the  proof  of  a  stable  sequent 
must  be  one  of  the  following: 

*  copy  on  some  proposition  A~  from  T, 

*  focus L  on  some  proposition  A ~  in  A,  or 

*  focus R  on  the  succedent  A+ 

Once  we  know  which  proposition  we  have  focused  on,  the  bipole  structure  of  that  proposition 
(that  is,  the  outermost  structure  of  the  proposition  up  through  the  second  occurrence  of  a  shift  of 
exponential)  completely  (though  not  uniquely)  dictates  the  structure  of  the  proof  up  to  the  next 
occurrences  of  stable  sequents. 

For  example,  consider  the  act  of  focusing  on  the  proposition  a+  — °  fb+  in  T  using  the  copy 
rule,  where  a+  and  b+  are  positive  atomic  propositions.  This  must  mean  that  a  suspended  atomic 
proposition  a+  appears  suspended  in  the  context  A,  or  else  the  proof  could  not  be  completed: 


T,aH 


r,  a+  — O  t b+-,  (a+)  h  [a7 


id~ 


fb+;A,(b+)  b  U 
o  t&+;  A,  6+  h  U  \ 


T,  a+  —o  t b+]  A,  [fb+]  b  U 


Tl 


T,  a+  —o  fb+]  A,  (a+),  [a+  — o  |6+]  b  U 


T,  a+  -O  fb+]  A,  (a+)  b  u 


copy 


The  non-stable  sequents  in  the  middle  are  not  interesting  parts  of  the  structure  of  the  proof,  as 
they  are  fully  determined  by  the  choice  of  focus,  so  we  can  collapse  this  series  of  transitions  into 
a  single  synthetic  rule: 

r,a+^t6+;A  ,<t+)hl/ 

r,  a+  -o  ffr+;  A,  (a+)  U 

For  the  MELL  fragment  of  linear  logic,  we  can  associate  exactly  one  rule  with  every  positive 
proposition  (corresponding  to  a  right-focus  on  that  proposition)  and  two  rules  with  every  negative 
proposition  (corresponding  to  left  focus  on  a  negative  proposition  in  the  persistent  context  and 
left  focus  on  that  negative  proposition  in  the  positive  context).  Here  are  three  examples: 

r;  A,  (6+)  b  U 
T;  A,  (a+) ,  a+  — °  fb+  b  U 


r,^-;A,(6+),C-  b  D+ 

V-  A  b  !(! A"  <g>  b+  ®  fC~  -o  f D+) 


RF 


r;  (a+) b  a+ 


RF' 


7If  we  had  established  the  unfocused  cut  rule  discussed  in  Section  2.3.8  and  had  then  proven  the  completeness 
of  focusing  (Theorem  2.6)  for  arbitrary  inverting  sequents,  it  would  have  enabled  an  interpretation  that  puts  all 
unfocused  sequents  on  similar  footing,  but  that  is  not  our  goal  here. 
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RF' 


6bucks  — o  fbattery  ;  (robot)  b  robot 
6bucks  — o  fbattery  ;  battery  — o  f robot,  (battery)  b  robot 

6bucks  — o  f  battery  ;  (6bucks),  battery  — o  f  robot  b  robot 

•;  •  b  |(!(6bucks  — o  flattery)  <g>  6bucks  <g>  ^(battery  — °  f robot)  — °  frobot) 


LF 

CP 


RF 


Figure  2.10:  Our  running  example,  presented  with  synthetic  rules 


This  doesn’t  mean  that  there  are  no  choices  to  be  made  within  focused  phases,  just  that,  in  MELL, 
those  choices  are  limited  to  the  way  the  resources  -  propositions  in  A  -  are  distributed  among 
the  branches  of  the  proof.  If  we  also  consider  additive  connectives,  we  can  identify  some  number 
of  synthetic  rules  for  each  right  focus,  left  focus,  or  copy.  This  may  be  zero,  as  there’s  no  way  to 
successfully  right  focus  on  a  proposition  like  0  <g)  J,jvl+,  and  therefore  zero  synthetic  inference 
rules  are  associated  with  this  proposition.  It  may  be  more  than  one:  there  are  three  ways  to 
successfully  right  focus  on  the  proposition  a+  ©  b+  ©  c+,  and  so  three  synthetic  inference  rules 
are  associated  with  this  proposition: 


T;  (a+)  b  a+  ©  b+  ®  c+  T;  ( b+ )  b  a+  ®  b+  ©  c+  T;  (c+)  b  a+  ©  b+  ®  c+ 

Focused  proofs  of  stable  sequents  are,  by  definition,  in  a  1-to-l  correspondence  with  proofs 
using  synthetic  inference  rules.  If  we  look  at  our  running  example  as  a  derivation  using  the 
example  synthetic  inference  rules  presented  above  (as  demonstrated  in  Figure  2.10),  we  see  that 
the  system  takes  four  steps.  The  middle  two  steps,  furthermore,  correspond  precisely  to  the  two 
steps  in  our  informal  description  of  the  robot-battery-store  system. 


2.5  Hacking  the  focusing  system 

Despite  the  novel  treatment  of  suspended  propositions  in  Section  2.3,  the  presentation  of  linear 
logic  given  there  is  equivalent  to  the  presentation  in  Chaudhuri’s  dissertation  [Cha06],  in  the 
sense  that  the  logic  gives  rise  to  the  same  synthetic  inference  rules.  It  is  not  a  faithful  intuitionistic 
analogue  to  Andreoli’s  original  presentation  of  focusing  [And92],  though  the  presentation  in 
Pfenning’s  course  notes  is  [Pfel2c].8  Nor  does  it  have  the  same  synthetic  inference  rules  as  the 
focused  presentation  used  in  the  framework  of  ordered  logical  specifications  that  we  presented 
in  [PS09], 

In  this  section,  we  will  discuss  four  different  presentations  of  focused  sequent  calculi  that  are 
closely  connected  to  the  logic  we  have  just  presented.  Each  system  differs  significantly  in  its 
treatment  of  positive  atomic  propositions,  the  exponential  \A,  and  the  interaction  between  them. 

*  Andreoli’s  original  system,  which  I  name  the  atom  optimization,  complicates  the  interpre¬ 
tation  of  atomic  propositions  as  stand-ins  for  arbitrary  propositions. 

8We  will  blur  the  lines,  in  this  section,  between  Andreoli’s  original  presentation  of  focused  classical  linear  logic 
and  Pfenning’s  adaptation  to  intuitionistic  linear  logic.  In  particular,  we  will  mostly  use  the  notation  of  Pfenning’s 
presentation,  but  the  observations  are  equally  applicable  in  Andreoli’s  focused  triadic  system. 
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*  A  further  change  to  the  atom  optimization,  the  exponential  optimization ,  complicates  the 
relationship  between  the  focused  logic  and  the  unfocused  logic. 

*  The  adjoint  logic  of  Benton  and  Wadler  [BW96]  introduces  a  new  syntactic  class  of  persis¬ 
tent  propositions,  restricting  linear  propositions  to  the  linear  context  and  persistent  propo¬ 
sitions  to  the  persistent  context. 

*  The  introduction  of  permeable  atomic  propositions,  a  notion  (which  dates  at  least  back 
to  Girard’s  LU  [Gir93])  that  some  propositions  can  be  treated  as  permeable  between  the 
persistent  and  linear  contexts  and  that  permeable  atomic  propositions  can  be  introduced  to 
stand  for  this  class  of  permeable  propositions. 

The  reason  we  survey  these  different  systems  is  that  they  all  provide  a  solution  to  a  pervasive 
problem  encountered  when  using  focused  sequent  calculi  as  logical  frameworks:  the  need  to 
allow  for  synthetic  inference  rules  of  the  form 

T,p;  A,  r  b  C 
r,p;  A,q  h  C 

where  p  is  an  atomic  proposition  in  the  persistent  context  that  is  observed  (but  not  consumed),  q 
is  an  atomic  proposition  that  is  consumed  in  the  transition,  and  r  is  an  atomic  proposition  that  is 
generated  as  the  result  of  the  transition.  In  the  kinds  of  specifications  we  will  be  dealing  with,  the 
ability  to  form  these  synthetic  inference  rules  is  critical.  In  some  uses,  the  persistent  resource  acts 
as  permission  to  consume  q  and  produce  r.  In  other  uses,  p  represents  knowledge  that  we  must 
currently  possess  in  order  to  enact  a  transition.  As  a  concrete  example,  America’s  2010  health 
care  reform  law  introduced  a  requirement  that  restaurant  menus  include  calorie  information.  This 
means  that,  in  the  near  future,  we  can  exchange  six  bucks  for  a  soup  and  salad  at  Panera,  but  only 
if  we  know  how  many  calories  are  in  the  meal.  The  six  bucks,  soup,  and  salad  remain  ephemeral 
resources  like  q  and  r,  but  the  calorie  count  is  persistent.  A  calorie  count  is  scientific  knowledge, 
which  is  a  resource  that  is  not  consumed  by  the  transition. 

My  justification  for  presenting  Chaudhuri’s  system  as  the  canonical  focusing  system  for  lin¬ 
ear  logic  in  Section  2.3  is  because  it  most  easily  facilitates  reasoning  about  the  focused  sequent 
calculus  as  a  logic.  Internal  soundness  and  completeness  properties  are  established  by  the  cut 
admissibility  and  identity  expansion  theorems  (Theorems  2.4  and  2.3),  and  these  theorems  are 
conceptually  prior  to  the  soundness  and  completeness  of  the  focused  system  relative  to  the  un¬ 
focused  system  (Theorems  2.5  and  2.6).  The  various  modifications  we  discuss  in  this  section 
complicate  the  treatment  of  focused  logics  as  independently  justifiable  sequent  calculi  for  lin¬ 
ear  logic.  I  suggest  in  Section  2.5.4  that  the  last  option,  the  incorporation  of  permeable  atomic 
propositions,  is  the  most  pleasing  mechanism  for  incorporating  the  structure  we  desire  into  a 
focused  presentation  of  linear  logic. 

All  of  the  options  discussed  in  this  section  are  compatible  with  a  fifth  option,  discussed  in 
Section  4.7.1,  of  avoiding  positive  propositions  altogether  and  instead  changing  our  view  of 
stable  sequents.  The  proposition  ja~  —°  lb  — °  c~  is  associated  with  this  synthetic  inference 
rule: 

T;  A  h  (a~)  T;  A'  b  (b~) 

T ;  A,  A',  ja~  — °  \b~  — °  c~  b  ( c~ ) 
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If  we  can  prove  a  general  theorem  that  the  sequent  T;  A  b  ( a~ )  can  only  be  proven  if  A  =  a~  or 
if  A  =  ■  and  a-  e  T,  then  a~  is  a  pseudo-positive  atomic  proposition.  Proving  the  succedent  ( a~ ) 
where  a~  is  pseudo-positive  is  functionally  very  similar  to  proving  [a+]  in  focus  for  a  positive 
atomic  proposition.  This  gives  us  license  to  treat  stable  sequents  that  prove  a  pseudo-positive 
proposition  not  as  a  stable  sequent  that  appears  in  synthetic  inference  rules  but  as  an  immediate 
subgoal  that  gets  folded  into  the  synthetic  inference  rule.  If  a~  is  pseudo-positive,  the  persistent 
proposition  iar  — o  \.b~  — °  c~  can  be  associated  with  these  two  synthetic  inference  rules: 

T;  A  b  (b~)  T,  a-;  A  b  (b~) 

T;  A,  la~  — °  \.b~  —o  c~,  a~  b  ( c~ )  T,  a-;  A,  |a_  — o  \b~  — o  c~  b  ( c~ ) 

The  machinery  of  lax  logic  introduced  in  Chapter  3  and  the  fragment  of  this  logic  that  forms  a 
logical  framework  in  Chapter  4  make  it  feasible,  in  practice,  to  observe  when  negative  atomic 
propositions  are  pseudo-positive. 

2.5.1  Atom  optimization 

Andreoli’s  original  focused  system  isn’t  polarized,  so  propositions  that  are  syntactically  invalid 
in  a  polarized  presentation,  like  \{p+  A  q+)  or  \p+,  are  valid  in  his  system  (we  would  have  to 
write  !t(/C  <g>  q+)  and  It’s  therefore  possible,  in  an  unpolarized  presentation,  to  use  the 

copy  rule  to  copy  a  positive  proposition  out  of  the  context  and  into  left  focus,  but  the  focus 
immediately  blurs,  as  in  this  (intuitionistic)  proof  fragment:9 


p+  <E>  q+ ;  p+,  q+  lb  q+  ®  p+ 


p 1 


<1  ,P 


q+  lb 


i  p i 


p+  <8>  q+ ;  [p+  <S>  ?+]  lb  q+  ®  p 


p+  A  q+ ;  •  lb  q+  (g)  p 4 


blur  l 
copy 


Note  that,  in  the  polarized  setting,  the  effect  of  the  blurL  rule  is  accomplished  by  the  lf  rule. 

Andreoli’s  system  makes  a  single  restriction  to  the  copy  rule:  it  cannot  apply  to  a  positive 
atomic  proposition  in  the  persistent  context.  On  its  own,  this  restriction  would  make  the  system 
incomplete  with  respect  to  unfocused  linear  logic  -  there  would  be  no  focused  proof  of  \p+  — °  p+ 
-  and  so  Andreoli-style  focusing  systems  restore  completeness  by  creating  a  second  initial  se¬ 
quent  for  positive  atomic  propositions  that  allows  a  positive  right  focus  on  an  atomic  proposition 
to  succeed  if  the  atomic  proposition  appears  in  the  persistent  context: 

T;p+  lb  [p+]  ldl  T,p+;  •  lb  [ p+ }  ld2 

With  the  second  initial  rule,  we  can  once  again  prove  \p+  — °  p+,  and  the  system  becomes 

9We  will  use  the  sequent  form  I';  A  lb  C  in  this  section  for  focused  but  unpolarized  systems.  Again,  we 
frequently  reference  Pfenning’s  presentation  of  focused  linear  logic  [Pfel2c]  as  a  faithful  intuitionistic  analogue  of 
Andreoli’s  system. 
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complete  with  respect  to  unfocused  linear  logic  again. 


p+;  •  ii-  [ p+ ] 

p+ ;  •  lb  p+ 

•;  \p+  lh  p+ 

•;  •  lh  \p+  — o  p 


id  2 

focus R 

k 

+  * 


This  modified  treatment  of  positive  atoms  will  be  called  the  atom  optimization,  as  it  reduces  the 
number  of  focusing  steps  that  need  to  be  applied:  it  takes  only  one  right  focus  to  prove  \p+  — °  p+ 
in  Andreoli’s  system,  but  it  would  take  two  focusing  steps  to  prove  the  same  proposition  in 
Chaudhuri’s  system  (or  to  prove  \fp+  — °  f. P+  in  the  focusing  system  we  have  presented). 

There  seem  to  be  three  ways  of  adapting  the  atom  optimization  to  a  polarized  setting.  The 
first  approach  is  to  add  an  initial  sequent  that  directly  mimics  the  one  in  Andreoli’s  system, 
while  adding  an  additional  requirement  to  the  copy  rule  that  A~  is  not  a  shifted  positive  atomic 
proposition: 


^  T,  A-;  A,  [A~]  h  U 

r;(A+)h[A+]  ld  r,t p+;-h[p+]  2  r,A-;Ahf/  py 

The  second  approach  is  to  extend  suspended  propositions  to  the  persistent  context,  add  a  corre¬ 
sponding  rule  for  right  focus,  and  modify  the  left  rule  for  !  to  notice  the  presence  of  a  positive 
atomic  proposition: 


A-^tP+  r ,  A~\  Ahh  (  T ,  (p+);  A  h  [/  ( 

T;  A,  \A~  h  U  'Ll  T;  A,  !|p+  h  U  'L2 


T;  (A+)  h  [A+]  Ul+l  T,  (A+);  •  h  [A+]  td* 

The  third  approach  is  to  introduce  a  new  connective,  t,  that  can  only  be  applied  to  positive 
atomic  propositions,  just  as  !  can  only  be  applied  to  negative  propositions.  We  can  initially  view 
this  option  as  equivalent  to  the  previous  one  by  defining  '!/; '  as  a  notational  abbreviation  for  Ap+ 
and  styling  rules  according  to  the  second  approach  above: 


,  r,(p+);Ahf/  f  _ 

T;  •  h  [V]  'R  r;  A,  tp+  h  U  'L  T;  (A+)  h  [A+]  1 


T,(A+);-h[A+] 


All  three  of  these  options  are  similar;  we  will  go  with  the  last,  as  it  allows  us  to  preserve  the 
original  meaning  of  ! \p+  if  that  is  our  actual  intent.  Introducing  the  atom  optimization  as  a  new 
connective  also  allows  us  to  isolate  the  effects  that  this  new  connective  has  on  cut  admissibility, 
identity  expansion,  and  the  correctness  of  focusing;  we  will  consider  each  in  turn. 
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(p+);-  h 


idn 


( p+ );  •  b  [p+  <8)  p4 


t^+;  (A+)  b  [A+] 


idf 


M+;  (^4+)  I-  [^4+] 


idf 


(p+);-  h 


id~. 


(p+);  •  b  p+  ®p+ 
•;  tp+  b  p+  (g)  p 


focus 


R 


T  -L 


VS. 


tbL+;  (A+),  (A+)  b  [A+  <g>  ,4+] 


t^4+;  (A+),  (A+)  b  A+  ®  ,4+ 

f^4+;  (_A+j,>F  b  A+  ®  A+  ^ 

Tl 


focus 


R 


fA+;  (A+),  [fA+]  b  A+  ®  A+ 


fA+;  (A+)  b  A+  ®  A+ 

tA+;^4+  b  A+  <g)  A+  r] 

T  L 


copy 


fA+-,  [fA+]  \-  A+  ®  A+ 


fA+]  •  b  A+  ®  A+ 
•;  !|A+  b  A+  ®  A+ 


copy 


Figure  2.1 1:  Substituting  A+  for  p 1  in  the  presence  of  the  atom  optimization 


Identity  expansion  There  is  one  new  case  of  identity  expansion,  which  is  unproblematic: 


V 

F;  A,  (fp+)  b  U  + 
■yfXAlF'-T  11 


r ,  (p+);  •  b  [p+] 

r,  (p+);  •  b  p+ 
r,  (p+);-b  [tp+] 


focusR 


A 
!  7Z 


V 

r;  a,  (tp+)  b  u 
r',"<PT>  ;A;"'f^+>"P'"i7 


r,  (p+);  A  b  u 
r;  a,  v  b  u 


h 


weaken 

subst+ 


Even  though  the  identity  expansion  theorem  is  unproblematic,  we  can  illuminate  one  problem 
with  the  atom  optimization  by  considering  the  substitution  of  arbitrary  propositions  for  atomic 
propositions.  Previously,  when  we  substituted  a  positive  proposition  for  an  atomic  proposition, 
the  proof’s  structure  remained  fundamentally  unchanged  -  instances  of  the  //+  rule  on  p+  turned 
into  admissible  instances  of  the  general  identity  expansion  rule  r/+  on  A+.  Now,  we  have  to 
explain  what  it  even  means  to  substitute  A+  for  [P  in  tp+,  since  A4+  is  not  a  syntactically  valid 
proposition;  the  only  obvious  candidate  seems  to  be  !jvl+.  That  substitution  may  require  us  to 
change  the  structure  of  proofs  in  a  significant  way,  as  shown  in  Figure  2.11.  Immediately  before 
entering  into  any  focusing  phase  where  the  id\  rule  is  used  n  times  on  the  hypothesis  (p+ ) ,  we 
need  to  left-focus  on  fA+  n  times  with  the  copy  rule  to  get  n  copies  of  (/1+)  into  the  linear 
context,  each  of  which  can  be  used  to  replace  one  of  the  ulf  instances  with  an  instance  of  idf. 


Cut  admissibility  While  we  might  be  willing  to  sacrifice  the  straightforward  interpretation  of 
atomic  propositions  as  stand-ins  for  arbitrary  propositions,  another  instance  of  the  same  prob¬ 
lematic  pattern  arises  when  we  try  to  establish  the  critical  cut  admissibility  theorem  for  the  logic 
with  tp+.  Most  of  the  new  cases  are  unproblematic,  but  trouble  arises  in  part  1  when  we  cut  a 
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r;  ( p+ )  [p4 


r;  •  I-  [g+] 

r-q 


idn 


r;  ( P+ )  I-  P+ 

Y]p+  I-  p+ 


r;  [t P4 

t p+  b  p H 


r;-h^ 


b  p"1 


copy 


idf 

focusR 


V 

tL 


id) 


r,  (p+);  •  i~  [p+]  "  2  r,(p+);-h  [p+] 
r,(p+);-  h  [p+®p+]  ^ 


T;  •  b  p+  0>p+ 


r,(p+);-  bp+®p+  ■'7“" 

.  cut (bo) 


T;  <p+)  b  [jb 


T;  <p+)  b  [pH 


it# 


T;  (p+),  (p+)  b  [p+  ®pH 


IV  bp1 


r;(p+),(p+)  bp+0>pH 

T;  (p+),p+  b  p+  g)  p+ 


:  T;  (p+)  b  p+  ®pH 

r;-hp+  r;p+hp+®p+  \oN 

. ■■■ . ■■■■ .  cut (3) 

T;  •  h  p+  <g)  p+ 


focus 

-  7]+ 

cut( 3) 


R 


(where  T  =  q+  — °  |p+,  (g+)) 


Figure  2.12:  A  problematic  cut  that  arises  from  the  introduction  of  the  tp+  connective 


right-focused  proof  of  tp+  against  a  proof  that  is  decomposing  tp+  on  the  left: 


T;-hp+  ^  F,  (p+);  A\-  u 
r;-  b  [V]  ’R  r;  a,  v  b  u 
. f-aTT . 


h 


cut( 1) 


We  are  left  needing  to  prove  that  T:  •  b  p+  and  T,  (p+);  A  b  U  proves  T;  A  b  U,  which  does 
not  fit  the  structure  of  any  of  our  existing  cut  principles.  It  is  similar  to  the  statement  of  part 
5  of  Theorem  2.4  (if  T;  •  b  A~  and  T,  A~;  A  b  U_,  then  T;  A  b  U),  but  the  proof  is  not  so 
straightforward. 

To  see  why  this  cut  is  more  complicated  to  prove  than  part  5  of  Theorem  2.4,  consider  what  it 
will  take  to  reduce  the  cut  in  the  top  half  of  Figure  2.12.  We  cannot  immediately  call  the  induction 
hypothesis  on  the  sub-derivation  in  the  right  branch,  as  there  is  no  way  to  prove  p+  0  p+  in  focus 
when  ( p+ )  does  not  appear  (twice)  in  the  linear  context.  We  need  to  get  two  suspended  (p+) 
antecedents  in  the  linear  context;  then  we  can  replace  all  the  instances  of  id\  with  instances  of 
id~l  that  use  freshly-minted  (p+)  antecedents.  This  can  be  achieved  with  repeated  application  of 
part  3  of  Theorem  2.4,  as  shown  in  the  bottom  half  of  Figure  2.12. 

The  minimal  extension  to  cut  admissibility  (Theorem  2.4)  that  justifies  the  atom  optimization 
appears  to  be  the  following,  where  ( p+)n  denotes  n  copies  of  the  suspended  positive  proposition 

(p+). 
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Theorem  2.7  (Extra  cases  of  cut  admissibility  (Theorem  2.4)). 

6a.  IfT ;  •  b  p+  and  T,  ( p+ );  A  b  [B+],  then  there  exists  n  such  that  T ;  A,  ( p+)n  b  [f?+], 

6b.  IfT ;  •  b  p+  and  T,  (p+);  A  b  (7,  t/ic/7  T;  A  b  U. 

6c.  IfT ;  ■  b  p+  and  T,  (p+);  A,  [B~]  b  U,  then  there  exists  n  such  that  T :  A,  (p+)n,  [B~]  b  U. 

Proof.  Induction  on  the  second  given  derivation;  whenever  focus R,  focus L  or  copy  are  the  last 

rule  in  part  6 b,  we  need  to  make  n  calls  to  part  3  of  the  cut  admissibility  lemma,  each  one  followed 
by  a  use  of  the  if  rule,  where  n  is  determined  by  the  inductive  call  to  part  6a  (for  focus R)  or  6c 
(for  focus L  and  copy). 

The  calls  to  part  3  are  justified  by  the  existing  induction  metric:  the  principal  cut  formula  p+ 
stays  the  same  and  the  part  number  gets  smaller.  □ 


Correctness  of  focusing  The  obvious  way  of  extending  erasure  for  our  extended  logic  is  to  let 
(tp+)°  =  \p+  and  to  let  (T,  ( p+))°  =  (T)°,p+.  Under  this  interpretation,  the  soundness  of  tj, 
and  t/j  has  the  same  structure  as  the  soundness  of  !  /,  and  !  and  the  soundness  of  idf  in  the 
focused  system  is  established  with  copy  and  id  in  the  unfocused  system: 


Tfp+-p+  — »  p+ 
T°,p+-r-^p+ 


id 

copy 


The  extension  to  the  proof  of  completeness  requires  two  additional  cases  to  deal  with  t,  both 
of  which  are  derivable. . . 

r ;  •  b  P+  t  T,  (p+);  AT  U  ^ 

rv'  bit  ""'"'it V  'uR  T;:  A7tTr;7It'v':''':''r 


. . .  as  well  as  a  case  dealing  with  the  situation  where  we  apply  copy  to  the  erasure  of  a  persistent 
suspended  proposition.  This  case  reduces  to  a  case  of  ordinary  focal  substitution: 


r,  (p+y,A,(p+)hu 

r-¥rj:'A-'r . 


( copy)u 


r,(p+);-b  [p+] 


idi 


r,  (p+)',  a,  (P+)  b  u 


r,(p+);AbU 


suhsf 


For  such  a  seemingly  simple  change,  the  atom  optimization  adds  a  surprising  amount  of 
complexity  to  the  cut  admissibility  theorem  for  focused  linear  logic.  What’s  more,  the  three  extra 
cases  of  cut  that  we  had  to  introduce  were  all  for  the  purpose  of  handling  a  single  problematic 
case  in  the  proof  of  part  1  where  both  derivations  were  decomposing  the  principal  cut  formula 

tp+. 


2.5.2  Exponential  optimization 

The  choice  of  adding  fp+  as  a  special  new  connective  instead  of  defining  it  as  \fp+  paves  the 
way  for  us  to  modify  its  meaning  further.  For  instance,  there  turns  out  to  be  no  internal  reason  for 
the  rule  to  lose  focus  in  its  premise,  even  though  it  is  critical  that ! R  lose  focus  on  its  premise; 
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if  we  fail  to  do  so  propositions  like  !(p+  0  q+)  — o  \(q+  0  p+)  will  have  no  proof.  We  can  revise 
tit  accordingly. 


r; •  h  [p+]  ,  r,(/);Ah[/  _  _ 

r;-h[tp+]'R  r;A,  tp+bc/  'L  r;  (A+)  b  [A+]  1  r,  (A+);-  \-[a+]  2 


This  further  optimization  can  be  called  the  exponential  optimization,  as  it,  like  the  atom  opti¬ 
mization,  potentially  reduces  the  number  of  focusing  phases  in  a  proof.  Identity  expansion  is 
trivial  to  modify,  and  cut  admissibility  is  significantly  simpler. 

The  problematic  case  of  cut  is  easy  to  handle  in  this  modified  system:  we  can  conclude  by 
case  analysis  that  the  first  given  derivation  must  prove  p+  in  focus  using  the  id\  rule.  This, 
in  turn,  means  that  ( p+ )  must  already  appear  in  T,  so  T  =  T7,  (p+),  and  the  cut  reduces  to  an 
admissible  instance  of  contraction. 


-  irl+ 

r,,(p+);-h[p+]  7  r,(p+),(p+);AH7 
r,  (p+);  •  b  [V]  'R  r7,  (p+);  a,  v  b  u 
. iv;-(pT);A'b"i; . 


cut( 1) 


r,{p+),(P+)-Ahu 
. fi;^+);Ah'C/ . 


contract 


Thus,  we  no  longer  need  the  complicated  extra  parts  6a  -  6c  of  cut  admissibility  in  order  to  prove 
cut  admissibility  for  a  focused  system  with  the  exponential  optimization. 

Because  cut  and  identity  hold,  we  can  think  of  a  focused  logic  with  the  exponential  optimiza¬ 
tion  as  being  internally  sensible.  The  problem  is  that  this  logic  is  no  longer  externally  sensible 
relative  to  normal  linear  logic,  because  we  cannot  erase  i/0  into  regular  linear  logic  in  a  sensible 
way.  Specifically,  if  we  continue  to  define  (tp+)°  as  \p+,  then  tg+  — °  \{q+  — o  ti°+)  — °  t ^P+ 
has  no  proof  in  focused  linear  logic,  whereas  its  erasure,  \q+  — °  !(g+  — o  p+)  — o  \p+,  does  have 
an  unfocused  proof.  In  other  words,  the  completeness  of  focusing  (Theorem  2.6)  no  longer  holds 
under  the  exponential  optimization! 

Our  focused  logic  with  the  exponential  optimization  has  some  resemblance  to  tensor  logic 
[MT10],  as  well  the  polarized  logic  that  Girard  presented  in  a  note,  “On  the  sex  of  angels,” 
which  first  introduced  the  ~\A+  and  \,A~  notation  to  the  discussion  of  polarity  [Gir91].  Both  of 
these  presentations  incorporate  a  general  focus-preserving  fA+  connective  -  a  positive  formula 
with  a  positive  subformula  -  in  lieu  of  the  focus-interrupting  \A~  connective.  Both  presentations 
also  have  the  prominent  caveat  that !  in  the  unfocused  logic  necessarily  corresponds  to  tj.  in  the 
focused  logic:  it  is  not  possible  to  derive  t(A  0  B)  b  t(£>  0  A)  in  these  systems,  and  no  apology 
is  made  for  this  fact,  because  0  B)  b  iftfA  <E>  A)  holds  as  expected.  We  want  avoid 

this  route  because  it  gives  the  shifts  too  much  power:  they  influence  the  existence  of  proofs,  not 
just  the  structure  of  proofs.10  This  interpretation  of  shifts  therefore  threatens  our  critical  ability 
to  intuitively  understand  and  explain  linear  logic  connectives  as  resources. 

There  is  an  easily  identifiable  class  of  sequents  that  obey  separation,  which  is  the  property 
that  positive  atomic  propositions  can  be  separated  into  two  classes  pi  and  p+.  The  linear  positive 

l0Both  the  note  of  Girard  and  the  paper  of  Mellies  and  Tabareau  see  the  shifts  as  a  form  of  negation;  therefore, 
writing  from  an  intuitionistic  perspective,  they  are  unconcerned  that  A+  has  a  different  meaning  of  0/0  in  their 
constructive  logic.  There  are  many  propositions  where  -n A  is  provable  even  though  A  is  not!  This  view  of  shifts 
as  negations  seems  rather  foreign  to  the  erasure-based  understanding  of  shifts  we  have  been  discussing,  though 
Zeilberger  has  attempted  to  reconcile  these  viewpoints  [Zei08b], 
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propositions  p +  are  never  suspended  in  the  persistent  context  and  never  appear  as  ,  whereas 
the  persistent  positive  propositions  p+  are  never  suspended  in  the  linear  context  and  always 
appear  as  tp+  inside  of  other  propositions.  For  sequents  and  formulas  obeying  separation,  we 
can  use  the  obvious  erasure  operation  and  obtain  a  proof  of  the  completeness  of  focusing;  this 
notion  of  separation  was  the  basis  of  our  completeness  result  in  [PS09].  However,  separation 
is  a  meta-logical  property,  something  that  we  observe  about  a  fragment  of  the  logic  and  not  an 
inherent  property  of  the  logic  itself.  There  are  many  propositions  A+  and  A~  that  we  cannot 
prove  in  focused  linear  logic  with  the  exponential  optimization  even  though  (A+)°  and  (A~)° 
are  provable  in  linear  logic,  and  that  makes  the  exponential  optimization  unsatisfactory. 

The  remaining  two  approaches,  adjoint  logic  and  the  introduction  of  permeable  atomic  propo¬ 
sitions,  can  both  be  seen  as  attempts  to  turn  separation  into  a  logical  property  instead  of  a  meta- 
logical  property. 


2.5.3  Adjoint  logic 

We  introduced  tp+  as  a  connective  defined  as  Apr  -  that  is,  the  regular  \A~  connective  plus 
a  little  something  extra,  the  shift.  After  our  experience  with  modifying  the  rules  of  t,  we  can 
motivate  adjoint  logic  by  trying  to  view  t  as  a  more  primitive  connective  -  that  is,  we  will  try  to 
view  !  as  t  plus  a  little  something  extra. 

It  is  frequently  observed  that  the  exponential  \A  of  linear  logic  appears  to  have  two  or  more 
parts;  the  general  idea  is  that  t  represents  just  one  of  those  pieces.  Accounts  of  linear  logic 
that  follow  the  judgmental  methodology  of  Martin-Lof  [ML96],  such  as  the  analysis  by  Chang 
et  al.  [CCP03],  emphasize  that  the  regular  hypothetical  sequent  T;  A  — *  A  of  linear  logic  is 
establishing  the  judgment  that  A  is  true :  we  can  write  T;  A  — »  A  true  to  emphasize  this.  The 
judgment  of  validity,  represented  by  the  judgment  A  valid,  is  defined  as  truth  using  no  ephemeral 
resources,  and  l  A  is  understood  as  the  internalization  of  judgmental  validity: 

T ;  •  — >  A  true  A  =  ■  T  — »  A  valid  , 

T  — »  A  valid  vahd  T;  A  — >  !  A  true 


The  valid  rule  is  invertible,  so  if  we  ever  need  to  prove  T  — »  A  valid,  we  may  asynchronously 
transition  to  proving  T ;  •  — *  A  true.  This  observation  is  used  to  explain  why  we  don’t  normally 
consider  validity  on  the  right  in  linear  logic.  Our  more  familiar  rule  for  ! R  is  derivable  using 
these  two  rules: 

T;  •  h  A  true 

A  =  •  r  h  A  valid  ™lld 


T;  A  b  IA  true  R 


Note  that  the  \'R  rule  is  not  invertible,  because  it  forces  the  linear  context  to  be  empty,  which 
means  !  must  be  positive.  The  valid  rule,  on  the  other  hand,  is  invertible  and  has  an  asynchronous 
or  negative  character,  because  it  represents  the  invertible  step  of  deciding  to  prove  that  A  is  valid 
(true  without  recourse  to  any  ephemeral  resources)  by  proving  that  it  is  true  (in  a  context  with 
no  ephemeral  resources).  This  combination  of  positive  and  negative  actions  explains  why  \A~ 
is  a  positive  proposition  with  a  negative  subformula,  and  similarly  explains  why  we  must  break 
focus  when  we  reach  \A  on  the  right  and  why  we  must  stop  decomposing  the  proposition  when 
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r; - y  A  r,  GA;  A,  A — >C 

tr  R  — — X - ~~PT~ 


GA 


r,  GA;  A  — y  C 


T,  x 


inti-, 


x 


r,  x  — >  y  r,  xdy  — >  x  r,  x  d  y,  y  — >  z 

A R  — - 7^7 - 7^ - 77^ - 


X  D  Y 


r,x  d  y 


r, idf  — >■  x  r, x  d  y, y; a  — >c  , 
r,x  D  Y;A  — >  c  Dl 


r — »  x  r,x;A — >c 

Fr  Fl 


r; - >  FX  n  r;  A,  FX  — y  C  T-a 


initr. 


r;  A,  A  — y  B 
T;  A  — y  A  -°B 


r:  A 


A 


dR 


A  T-,A,B 


C 


T;  A^,  A,A—°B  — y  C 


Figure  2.13:  Some  relevant  sequent  calculus  rules  for  adjoint  logic 


we  reach  \A  on  the  left.  The  salient  feature  of  the  exponential  optimization’s  rules  for  /!p+ ,  of 
course,  is  that  they  do  not  break  focus  on  the  right  and  that  they  continue  to  decompose  the 
proposition  on  the  left  (into  a  suspended  proposition  ( p+ )  in  the  persistent  context).  This  is  the 
reason  for  arguing  that  t  captures  only  the  first,  purely  positive,  component  of  the  !  connective. 

If  the  t  connective  is  the  first  part  of  the  !  connective,  can  we  characterize  the  rest  of  the 
connective?  Giving  a  reasonable  answer  necessarily  requires  a  more  general  account  of  the  t 
connective  -  an  unfocused  logic  where  it  is  generally  applicable  rather  than  restricted  to  positive 
atomic  propositions.  In  other  words,  to  account  for  the  behavior  of  t,  we  must  give  a  more 
primitive  logic  into  which  linear  logic  can  be  faithfully  encoded. 

A  candidate  for  a  more  primitive  logic,  and  one  that  has  tacitly  formed  the  basis  of  much 
of  my  previous  work  on  logic  programming  and  logical  specification  in  substructural  logic 
[PS09,  SPllb,  SPlla],  is  adjoint  logic.  Adjoint  logic  was  first  characterized  by  Benton  and 
Wadler  as  a  natural  deduction  system  [BW96]  and  was  substantially  generalized  by  Reed  in  a 
sequent  calculus  setting  [Ree09b].  The  logic  generalizes  both  linear  logic  and  Fairtlough  and 
Mendler’s  lax  logic  [FM97]  as  sub-languages  of  a  common  logic,  whose  propositions  come  in 
two  syntactically  distinct  categories  that  are  connected  by  the  adjoint  operators  F  and  G: 

Persistent  propositions  X.  Y.  Z  ::=  GA  \  x  \  X  D  Y  |  X  x  Y 

Linear  propositions  A,  B,C  ::=  FX  \  a  \  A  — °  B  \  A  (g)  B 

In  adjoint  logic,  persistent  propositions  X  appear  in  the  persistent  context  T  and  as  the  succedents 
of  sequents  T  — y  X,  whereas  linear  propositions  A  appear  in  the  linear  context  A  and  as  the 
succedents  of  sequents  T ;  A  — y  A.  Going  back  to  our  previous  discussion,  this  means  that 
persistent  propositions  are  only  ever  judged  to  be  valid,  and  that  linear  propositions  are  only 
ever  judged  to  be  true.  A  fragment  of  the  logic  is  shown  in  Figure  2.13.  Note  the  similarity 
between  the  Gl  rule  and  our  unfocused  copy  rule,  as  well  as  the  similarity  between  Fr  and  Gr 
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in  Figure  2.13  and  the  rules  !R  and  valid  in  the  previous  discussion.  Linear  logic  is  recovered 
as  a  fragment  of  adjoint  logic  by  removing  all  of  the  persistent  propositions  except  for  GA\  the 
usual  l A  is  then  definable  as  FGA.n 

One  drawback  of  this  approach  is  simply  the  logistics  of  giving  a  fully  focused  presentation 
of  adjoint  logic.  We  end  up  with  a  proliferation  of  propositions,  because  the  syntactic  distinction 
between  X  and  A  is  orthogonal  to  the  syntactic  distinction  between  positive  and  negative  propo¬ 
sitions.  A  polarized  presentation  of  adjoint  logic  would  have  four  syntactic  categories:  X+,  X~, 
A+,  and  /I  ,  with  one  pair  of  shifts  mediating  between  X+  and  X~  and  another  pair  of  shifts 
mediating  between  A+  and  A~ . 12  Given  a  focused  presentation  of  adjoint  logic,  however,  the 
separation  criteria  discussed  above  can  be  in  terms  of  the  two  forms  of  positive  atomic  proposi¬ 
tion  a  and  x.  Positive  atomic  propositions  that  are  always  associated  with  t  can  be  encoded  as 
persistent  positive  atomic  propositions  x+,  whereas  positive  atomic  propositions  that  are  never 
associated  with  t  can  be  encoded  as  linear  positive  atomic  propositions  a+.  The  proposition  tp+ 
can  then  be  translated  as  Fx+,  where  x+  is  the  translation  of  p+  as  a  persistent  positive  atomic 
proposition. 

Adjoint  logic  gives  one  answer  to  why,  in  Andreoli- style  presentations  of  linear  logic,  we 
can’t  easily  substitute  positive  propositions  for  positive  atomic  propositions  when  those  positive 
atomic  propositions  appear  suspended  in  the  persistent  linear  context:  because  these  propositions 
are  actually  stand-ins  for  persistent  propositions,  not  for  linear  propositions,  and  we  are  working 
in  a  fragment  of  the  logic  that  has  no  interesting  persistent  propositions  other  than  atomic  propo¬ 
sitions  x  and  the  negative  inclusion  G A  back  into  linear  propositions.  This  effectively  captures 
the  structure  of  the  separation  requirement  (as  defined  at  the  end  of  Section  2.5.2  above)  in  a 
logical  way,  but  it  makes  the  structure  of  persistent  atomic  propositions  rather  barren  and  degen¬ 
erate,  and  it  places  an  extra  logic,  adjoint  logic,  between  the  focused  system  and  our  original 
presentation  of  intuitionistic  linear  logic. 


2.5.4  Permeability 

Let  us  review  the  problems  with  our  previous  attempts  to  motivate  a  satisfactory  treatment  of 
positive  propositions  in  the  persistent  context.  Andreoli’s  atom  optimization  interferes  with  the 
structure  of  cut  admissibility.  The  exponential  optimization  lacks  a  good  interpretation  in  unfo¬ 
cused  linear  logic.  The  adjoint  formulation  of  linear  logic  introduces  persistent  positive  proposi¬ 
tions  as  members  of  a  syntactic  class  X  of  persistent  propositions,  a  syntactic  class  that  usually 
lies  hidden  in  between  the  two  right-synchronous  and  right-asynchronous  (that  is,  positive  and 
negative)  halves  of  the  !  connective.  This  approach  works  but  requires  a  lot  of  extra  machinery. 

Our  final  attempt  to  logically  motivate  a  notion  of  a  persistent  positive  proposition  will  be 
based  on  an  analysis  of  permeability .  Permeability  in  classical  presentations  of  linear  logic  dates 
back  to  Girard’s  LU  [Gir93].  In  this  section,  we  will  motivate  permeable  atomic  propositions  in 

11  Lax  logic,  on  the  other  hand,  is  recovered  by  removing  all  of  the  linear  propositions  except  for  FX\  the  distin¬ 
guishing  connective  of  lax  logic,  OX,  is  then  definable  as  GFX. 

I2To  make  matters  worse,  in  Levy’s  Call-By-Push- Value  language,  the  programming  language  formalism  that 
corresponds  to  polarized  logic,  f  and  f  are  characterized  as  adjoints  as  well  (F  and  U,  respectively),  so  a  fully 
polarized  adjoint  logic  has  three  distinct  pairs  of  unary  connectives  that  can  be  characterized  as  adjoints! 
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intuitionistic  linear  logic  by  first  considering  a  new  identity  expansion  principle  that  only  applies 
to  permeable  propositions,  a  syntactic  refinement  of  the  positive  propositions.13 

The  admissible  identity  expansion  rules,  like  the  admissible  identity  rule  present  in  most 
unfocused  sequent  calculus  systems,  help  us  write  down  compact  proofs.  If  F(n)  =  pf  <g). . 
then  the  number  of  steps  in  the  smallest  proof  of  T ;  F(n)  b  F(n)  is  in  Q(n).  However,  by  using 
the  admissible  identity  expansion  rule  p+,  we  can  represent  the  proof  in  a  compact  way: 


T;  (F(n))  b  [F(n) 
T;  (F(n))  b  F(n) 
T;  F(n)"b  F(nj" 


id+ 

focus R 

7]+ 


Permeability  as  a  property  of  identity  expansion 

The  pattern  we  want  to  capture  with  our  new  version  of  identity  expansion  is  the  situation  where 
we  are  trying  to  prove  a  sequent  like  T;A  b  lorT;A  b  \A~  and  we  know,  by  the  syntactic 
structure  of  A,  that  inversion  will  empty  the  linear  context.  One  instance  of  this  pattern  is  the 
sequent  T;  G(n )  b  !jT?(n)  where  G(n )  =  \pf  <g)  . . .  <g)  \pf.  Our  goal  will  be  to  prove  such  a 
sequent  succinctly  by  suspending  the  proposition  G(n)  directly  in  the  persistent  context  just  as 
we  did  with  the  proof  involving  F{n)  above.  To  use  these  suspended  propositions,  we  introduce 
a  hypothesis  rule  for  positive  propositions  suspended  in  the  persistent  context. 


r,(A+>;-b[A+]  * 

This  rule  is,  of  course,  exactly  the  id\  rule  from  our  discussion  of  Andreoli’s  system.  There  is 
also  a  focal  substitution  principle,  Theorem  2.8.  This  theorem  was  true  in  Andreoli’s  system,  but 
we  did  not  need  or  discuss  it. 

Theorem  2.8  (Focal  substitution  (positive,  persistent)). 

IfT ;  •  b  [A+]  and  T,  (A+);  A(  b  f/,  then  T;  A(  b  U. 

Proof.  Once  again,  this  is  a  straightforward  induction  over  the  second  given  derivation,  as  in  a 
proof  of  regular  substitution  in  a  natural  deduction  system.  If  the  second  derivation  is  the  axiom 
idp  applied  to  the  suspended  proposition  ( /1+)  we  are  substituting  for,  then  the  result  follows 
immediately  using  the  first  given  derivation.  □ 

Given  this  focal  substitution  principle,  we  can  consider  the  class  of  permeable  positive  propo¬ 
sitions.  A  permeable  proposition  is  one  where,  when  we  use  the  admissible  77 +  rule  to  suspend 
it  in  the  linear  context,  we  might  just  as  well  suspend  it  in  the  persistent  context,  as  it  decom¬ 
poses  entirely  into  persistent  pieces.  In  other  words,  we  want  a  class  of  propositions  A+  such 
that  T,  (/!+):  A  b  U  implies  T ;  A,  A+  b  U ;  this  is  the  permeable  identity  expansion  property. 

13Permeable  negative  propositions  are  relevant  to  classical  linear  logic,  but  the  asymmetry  of  intuitionistic  linear 
logic  means  that,  for  now,  it  is  reasonable  to  consider  permeability  exclusively  as  a  property  of  positive  propositions. 
We  will  consider  a  certain  kind  of  right-permeable  propositions  in  Chapter  3. 
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Figure  2.14:  Persistent  identity  expansion 


It  is  possible  to  precisely  characterize  the  MELL  propositions  that  are  permeable  as  a  syntactic 
refinement  of  positive  propositions: 

A;::=\A-\1\A+®B+ 

In  full  first-order  linear  logic,  0,  A+  ©  B+,  and  3 x.A+  would  be  included  as  well;  essentially 
only  p+  and  IA~  are  excluded  from  this  fragment. 

Theorem  2.9  (Permeable  identity  expansion).  IfT,  (/!+);  A  b  U,  then  T ;  A,  A+  b  U. 


Proof.  Induction  over  the  structure  of  the  proposition  /1+  or  A  .  The  cases  of  this  proof  are 
represented  in  Figure  2.14.  □ 


As  admissible  rules,  Theorems  2.8  and  2.9  are  written  substp  and  i)f : 


T;-b[A+]  T,  (A+);  A  b  U_ 
. f;  A  b  'U . 


substp 


T,  (A+ );  A  b  [/  + 

f; "^a+T'u'  % 
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We  can  use  this  persistent  identity  expansion  property  to  give  a  compressed  proof  of  our  moti¬ 
vating  example: 


T;(G(n))l-[G(n)] 
T,(G(n));-h[!G(n) 
r,(G(n));.h!G(n) 
. f;G(n)T'  !G(n)"'" 


id+ 

■  U 

■  focus 


R 


Permeable  atomic  propositions 

It  would  have  been  possible,  in  the  discussion  of  focused  linear  logic  in  Section  2.3,  to  present 
identity  expansion  as  conceptually  prior  to  atomic  propositions.  In  such  a  retelling,  the  r/+  and 
fj  rules  can  be  motivated  as  the  necessary  base  cases  of  identity  expansion  when  we  have  propo¬ 
sitional  variables  that  stand  for  unknown  positive  and  negative  propositions,  respectively.  Con¬ 
versely,  we  can  now  present  a  new  class  of  permeable  atomic  propositions  that  stand  in  for 
arbitrary  permeable  propositions  A+.  These  add  a  new  base  case  to  permeable  identity  expansion 
(Theorem  2.9)  that  can  only  be  satisfied  with  an  explicit  //+  rule: 

r,(pJ);Ahf/ 

T;A,p+l-U 

Because  the  permeable  propositions  are  a  syntactic  refinement  of  the  positive  propositions, 
must  be  a  valid  positive  atomic  proposition  as  well.  This  is  the  revised  grammar  for  intuitionistic 
MELL  with  permeable  atomic  propositions: 

A+  ::=  p+  \Pp  \  ±A~  \  \A~  \  1  \  A+  ®  B+ 

a;  v.=  p+  |  \a~  1 1 1  a+®b; 

A~  ::=  p~  |  \A+^B~ 

This  addition  to  the  logic  requires  some  additions  to  positive  identity  expansion,  cut  admis¬ 
sibility,  and  completeness,  but  none  of  the  changes  are  too  severe;  we  consider  each  in  turn. 


Identity  expansion  The  new  addition  to  the  language  of  positive  propositions  requires  us  to 
extend  identity  expansion  with  one  additional  case: 


r;A.(pp+)ht/ 

“f ;  "a,"p*  M7  n- 


r;  a, (pp )  h  u 

-  id'  . 

r,  <p+);  -  K  [p+]  *  T,  (Pp );  A,  (pp )  E  U 

. VTp-):'X-T . ;■ . 

T;  A,p+  h  U  Vp 


weaken 

substp 


Cut  admissibility  We  must  clarify  the  restriction  on  cut  admissibility  for  our  extended  logic. 
In  Theorem  2.4,  we  required  that  sequents  contain  only  suspensions  of  atomic  propositions,  and 
in  our  generalization  of  cut  admissibility,  we  need  to  further  require  that  all  suspensions  in  the 
persistent  context  T  be  permeable  and  atomic  and  that  all  suspensions  in  the  linear  context  A 
be  non-permeable  and  atomic.  Under  this  restriction,  the  proof  proceeds  much  as  it  did  for  the 
system  with  the  exponential  optimization. 
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Correctness  of  focusing  There  are  two  ways  we  can  understand  the  soundness  and  complete¬ 
ness  of  focusing  for  linear  logic  extended  with  permeable  atomic  propositions.  One  option  is  to 
add  a  notion  of  permeable  atomic  propositions  to  our  core  linear  logic  from  Figure  2.1,  in  which 
case  soundness  and  completeness  are  straightforward.  Alternatively,  we  can  use  our  intuition 
that  a  permeable  proposition  A  is  interprovable  with  l  A  and  let  (p+)°  =  !p+. 

The  erasure  of  permeable  propositions  in  the  focused  logic  to  !p+  in  the  unfocused  logic 
reveals  that  permeable  propositions,  which  we  motivated  entirely  from  a  discussion  of  identity 
expansion,  are  effectively  a  logical  treatment  of  separation.  Rather  than  t,  a  separate  proposition 
that  we  apply  only  to  positive  propositions,  permeability  is  a  property  intrinsic  to  a  given  atomic 
proposition,  much  like  the  proposition’s  positivity  or  negativity. 


2.6  Revisiting  our  notation 

Andreoli,  in  his  2001  paper  introducing  the  idea  of  synthetic  inference  rules  [AndOl],  observed 
that  the  atom  optimization  can  lead  to  an  exponential  explosion  in  the  number  of  synthetic  rules 
associated  with  a  proposition.  For  instance,  if  a+®b+  — °  |c+  appears  in  T.  the  atom  optimization 
means  that  the  following  are  all  synthetic  inference  rules  for  that  proposition: 

T-A,(c+)hU  r,  (a+);  A,  (c+)  h  U 
F;  A,  (a+),  (6+)  h  U  r,  (a+);A,  (6+)  h  U 

r,  {!>+);  A,  (c  +)bU  r,  (a+),  {b+)\  A,  (c+)  h  U 
r,  <&+);  A,  <a+)  h  U  r,(o+),(6+);Ahf/ 

Andreoli  suggests  coping  with  this  problem  by  restricting  the  form  of  propositions  so  that  posi¬ 
tive  atoms  never  appear  in  the  persistent  context.  From  our  perspective,  this  is  a  rather  unusual 
recommendation,  since  it  just  returns  us  to  linear  logic  without  the  atom  optimization!  The 
focused  system  in  Section  2.3,  which  we  have  argued  is  a  more  fundamental  presentation  (fol¬ 
lowing  Chaudhuri),  effectively  avoid  this  problem. 

However,  it’s  not  necessary  to  view  Andreoli’s  proliferation  of  rules  as  a  problem  with  the 
logic;  rather,  it  is  possible  to  view  it  merely  as  a  problem  of  notation.  It  is  already  the  case  that,  in 
writing  sequent  calculus  rules,  we  tacitly  use  of  a  fairly  large  number  of  notational  conventions, 
at  least  relative  to  Gentzen’s  original  formulation  where  all  contexts  were  treated  as  sequences  of 
propositions  [Gen35].  For  instance,  the  bottom-up  reading  of  the  1 R  rule’s  conclusion,  T;  ■  b  [1], 
indicates  the  presence  of  an  additional  premise  checking  that  the  linear  context  is  empty,  and  the 
conclusion  T;  A1;  A2  b  [/I  <g)  B]  of  the  ®R  rule  indicates  the  condition  that  the  context  can  be 
split  into  two  parts.  In  other  words,  both  the  conclusion  of  the  1^  rule  and  ®R  rule,  as  we 
normally  write  them,  can  be  seen  as  having  special  matching  constructs  that  constrain  the  shape 
of  the  context  A.14 

I  propose  to  deal  with  the  apparent  proliferation  of  synthetic  rules  in  a  system  with  the  atom 
optimization  by  adding  a  new  matching  construct  for  the  conclusion  of  rules.  We  can  say  that 

14More  than  anything  else  we  have  discussed  so  far,  this  is  a  view  of  inference  rules  that  emphasizes  bottom-up 
proof  search  and  proof  construction.  A  view  of  linear  logic  that  is  informed  by  the  inverse  method,  or  top-down 
proof  construction,  is  bound  to  look  very  different  (see,  for  example,  [Cha06]). 
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Figure  2.15:  Alternative  presentation  of  intuitionstic  linear  logic 


T;  A  matches  T;  A'  /  fp+)  either  when  ( p+ )  e  Y  and  A  =  A'  or  when  A  =  (A',  ( p+ )).  We 
can  also  iterate  this  construction,  so  that  Y ;  A  matches  Y :  A n/(pf), . . . ,  (p+)  if  F:  A  matches 
T ;  Ai  /(Pi),  Y ;  Ai  matches  Y ;  A  2/(p2),  . . .  and  Y ;  An_i  matches  Y ;  An/ (p+).  Armed  with  this 
notation,  we  can  create  a  concise  synthetic  connective  that  is  equivalent  to  the  four  of  the  rules 
discussed  previously: 

T;  A,  (c+)  h  u 
T;  A /(a+),  (b+)  h  U 


This  modified  notation  need  not  be  reserved  for  synthetic  connectives;  we  can  also  use  it  to 
combine  the  two  positive  identity  rules  idf  and  id^  (in  the  exponential-optimized  system)  or, 
equivalently,  id+  and  id+  (in  the  system  incorporating  permeability).  Furthermore,  by  giving 
T ;  A/A-  the  obviously  analogous  meaning,  we  can  fuse  the  focus L  rule  and  the  copy  rule  into  a 
single  rule  that  is  unconcerned  with  whether  the  proposition  in  question  came  from  the  persistent 
or  linear  contexts: 


F;  -/(A+)  h  [A+] 


r;  A,  [A-]  F  u 
Y-  A/A-  h  U 


focusf 


Going  yet  one  more  step,  we  could  use  this  notation  to  revise  the  original  definition  of  linear 
logic  in  Figure  2.1.  The  copy  rule  in  that  presentation  sticks  out  as  the  only  rule  that  doesn’t  deal 
directly  with  a  connective,  but  we  can  eliminate  it  by  using  the  T;  A/A  matching  construct.  The 
resulting  presentation,  shown  in  Figure  2.15,  is  equivalent  to  the  presentation  in  Figure  2.1. 


Theorem  2.10.  Y ;  A  — ^  C  if  and  only  ifY ;  A  C. 

Proof.  The  reverse  direction  is  a  straightforward  induction:  each  rule  in  Figure  2.15  can  be 
translated  as  the  related  rule  in  Figure  2.1  along  with  (potentially)  an  instance  of  the  copy  rule. 

The  forward  direction  requires  a  lemma  that  the  copy  rule  is  admissible  according  to  the  rules 
of  Figure  2.15;  this  lemma  can  be  established  by  straightforward  induction.  Having  established 
the  lemma,  the  forward  direction  is  a  straightforward  induction  on  derivations,  applying  the 
admissible  rule  whenever  the  copy  rule  is  encountered.  □ 
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Chapter  3 

Substructural  logic 


Linear  logic  is  the  most  famous  of  the  substructural  logics.  Traditional  intuitionistic  logic,  which 
we  call  persistent  to  emphasize  the  treatment  of  truth  as  a  persistent  and  reusable  resource,  ad¬ 
mits  the  three  so-called  structural  rules  of  weakening  (premises  need  not  be  used),  contraction 
(premises  may  be  used  multiple  times)  and  exchange  (the  ordering  of  premises  are  irrelevant). 
Substructural  logics,  then,  are  logics  that  do  not  admit  these  structural  rules  -  linear  logic  has 
only  exchange,  affine  logic  (which  is  frequently  conflated  with  linear  logic  by  programming  lan¬ 
guage  designers)  has  exchange  and  weakening,  and  ordered  logic,  first  investigated  as  a  proof 
theory  by  Lambek  [Lam58],  lacks  all  three. 

Calling  logics  like  linear,  affine,  and  ordered  logic  substructural  relative  to  persistent  logic  is 
greatly  unfair  to  the  substructural  logics.  Girard’s  linear  logic  can  express  persistent  provability 
using  the  exponential  connective  IA,  and  this  idea  is  generally  applicable  in  substructural  logics 
-  for  instance,  it  was  applied  by  Polakow  and  Pfenning  to  Lambek’s  ordered  logic  [PP99].  It  is 
certainly  too  late  to  advocate  for  these  logics  to  be  understood  as  superstructural  logics,  but  that 
is  undoubtedly  what  they  are:  generalizations  of  persistent  logic  that  introduce  more  expressive 
power. 

In  this  chapter,  we  will  define  a  first-order  ordered  linear  logic  with  a  lax  connective  O A 
in  both  unfocused  (Section  3.1)  and  focused  (Section  3.3)  flavors  (this  logic  will  henceforth  be 
called  OL3,  for  ordered  linear  lax  logic).  Then,  following  the  structural  focalization  methodology 
introduced  in  the  previous  chapter,  we  establish  cut  admissibility  (Section  3.4),  and  identity 
expansion  (Section  3.5)  for  focused  OL3;  with  these  results,  it  is  possible  to  prove  the  soundness 
and  completeness  of  focusing  (Section  3.6)  for  OL3.  A  fragment  of  this  system  will  form  the 
basis  of  the  logical  framework  in  Chapter  4,  and  that  framework  will,  in  turn,  underpin  the  rest 
of  this  dissertation. 

Why  present  the  rich  logic  OL3  here  if  only  the  fragment  detailed  in  Chapter  4  is  needed? 
There  are  two  main  reasons.  First,  while  we  will  use  only  a  fragment  of  this  logic  in  Chapter  4, 
other  fragments  of  the  logic  may  well  be  interesting  and  useful  for  other  purposes.  Second, 
the  presentation  in  this  chapter,  and  in  particular  the  discussion  of  substructural  contexts  in  Sec¬ 
tion  3.2,  introduces  a  presentation  style  and  infrastructure  that  I  believe  will  generalize  to  focused 
presentations  of  richer  logics,  such  as  the  logic  of  bunched  implications  [Pym02],  non-associative 
ordered  logic  (or  “rigid  logic”)  [Sim09],  subexponential  logics  [NM09],  and  so  on. 

Furthermore,  the  choice  to  present  a  full  account  of  focusing  in  OL3  is  in  keeping  with  as  An- 


55 


dreoli’s  insistence  that  we  should  avoid  ambiguity  as  to  whether  we  are  “defining  a  foundational 
paradigm  or  a  [logic]  programming  language  (two  objectives  that  should  clearly  be  kept  sepa¬ 
rate)”  [AndOl].  Both  the  full  logic  OL3  and  the  general  methodology  followed  in  this  chapter  are 
general,  foundational  paradigms  within  which  it  is  possible  to  instantiate  families  of  logic  pro¬ 
gramming  languages  and  logical  frameworks,  even  though  we  will  focus  on  a  particular  logical 
framework  starting  in  Chapter  4. 


3.1  Ordered  linear  lax  logic 

Ordered  linear  logic  was  the  subject  of  Polakow’s  dissertation  [PolOl].  It  extends  linear  logic 
with  a  notion  of  ordered  resources.  The  multiplicative  conjunction  A®  B  of  linear  logic,  which 
represents  that  we  have  both  the  resources  to  make  an  A  and  a  B,  is  replaced  in  ordered  logic 
by  an  ordered  multiplicative  conjunction  A  •  B,  which  represents  that  we  have  the  resources  to 
make  an  A,  and  they’re  to  the  left  of  the  resources  necessary  to  make  a  B.  Linear  implication 
A  — o  B,  which  represents  a  resource  that,  given  the  resources  necessary  to  construct  an  A,  can 
construct  a  B,  splits  into  two  propositions  in  ordered  logic.  The  proposition  A  >— >  B  represents 
a  resource  that,  given  the  resources  necessary  to  construct  an  A  to  the  left ,  can  construct  a  B\  the 
proposition  A  -»  B  demands  those  resource  to  its  right. 

Ordered  propositions  were  used  by  Lambek  to  model  language  [Lam58].  The  word  “clever” 
is  a  adjective  that,  given  a  noun  to  its  right,  constructs  a  noun  phrase  (“ideas”  is  a  noun,  and 
“clever  ideas”  is  a  noun  phrase).  Therefore,  the  world  “clever”  can  be  seen  as  an  ordered  resource 
Phrase  -»  NounPhrase.  Similarly,  the  word  “quietly”  is  an  adverb  that,  given  a  verb  to  its  left, 
constructs  a  verb  phrase  (“sleeps”  is  a  verb,  and  “sleeps  quietly”  is  a  verb  phrase).  Therefore, 
the  word  “quietly”  can  be  seen  as  an  ordered  resource  Verb  >— >  VerbPhrase.  The  key  innovation 
made  by  Polakow  and  Pfenning  was  integrating  both  persistent  and  linear  logic  into  Lambek’s 
system  with  the  persistent  exponential  \A  and  the  mobile  exponential  \A.  The  latter  proposition 
is  pronounced  “ A  mobile”  or,  whimsically,  “gnab  A ”  in  reference  to  the  pronunciation  of  !  A  as 
“bang  A.” 

The  primary  sequent  of  ordered  logic  is  T;  A;  Q  =>■  A  true,  which  expresses  that  A  is 
a  resource  derivable  from  the  persistent  resources  in  T,  the  ephemeral  resources  in  A,  and  the 
ephemeral,  ordered  resources  in  fl  The  persistent  context  T  and  the  linear  context  A  are  multisets 
as  before  (so  we  think  of  A1;  A2  as  being  equal  to  A2,  A1;  for  instance).  The  ordered  context 
Q  is  a  sequence  of  propositions,  as  in  Gentzen’s  original  presentation  of  sequent  calculi,  and  not 
a  multiset.  This  means  that  the  two  ordered  contexts  Qi ,  Q2  and  Q2,  fix  are,  in  general,  not  the 
same. 

The  presentation  of  ordered  linear  lax  logic  in  Figure  3.1  uses  an  ordered  logic  adaptation  of 
the  matching  constructs  introduced  in  Section  2.6;  all  the  left  rules  in  that  figure  use  the  construct 

T ;  A;  Ql/A/Qr  ==>-  U,  which  matches  the  sequent  T ;  A';  O'  ==>-  U 

*  if  fl'  =  (ttL,  A,  Qr)  and  A'  =  A; 

*  if  IT  =  (fli,  Qr)  and  A'  =  (A,  A); 

*  or  if  fl'  =  (Ql,  Qr),  A'  =  A,  and  A  e  T. 

As  in  the  alternative  presentation  of  linear  logic  where  copy  was  admissible,  both  the  copy  rule 
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and  a  rule  Polakow  called  place  are  admissible  in  the  logic  described  in  Figure  3.1. 


r,A-A-,nL,A,nR=>u  r; a; a, Qr  =>  u 

. '^T'"  copy  vTxAAhJh ^7;  pace 

When  this  notation  is  used  in  the  rule  id,  the  meaning  is  that  the  atomic  proposition  p  is  either  the 
only  thing  in  the  ordered  context  alongside  an  empty  linear  context,  or  else  it  is  the  only  thing 
in  the  linear  context  alongside  an  empty  ordered  context,  or  else  both  the  linear  and  ordered 
contexts  are  empty  and  p  is  present  in  the  persistent  context.  This  notion  will  be  called  sole 
membership  in  Section  3.2.1. 

Ordered  linear  lax  logic  also  encompasses  Fairtlough  and  Mendler’s  lax  logic  [FM97]  as 
reconstructed  by  Pfenning  and  Davies  [PD01]  and  adapted  to  linear  logic  is  the  basis  of  the  CLF 
logical  framework  [WCPW02].  The  judgment  A  lax  is  the  foundation  of  ordered  logic,  and  is 
usually  interpreted  as  truth  under  some  unspecified  constraint  or  as  a  weaker  version  of  truth:  if 
we  know  A  true  then  we  can  conclude  A  lax: 

T;  A;  0  =>-  A  true 

T:  A:7> . >"Ala.r  '"X 


If  we  know  A  lax,  on  the  other  hand,  we  cannot  prove  A  true,  though  we  can  prove  CjA  true, 
where  0/1  is  the  propositional  internalization  of  the  lax  judgment  (rule  Or  in  Figure  3.1). 

Lax  truth  is  handled  with  the  use  of  matching  constructs,  thereby  making  the  rule  lax  rule 
above  admissible  just  like  copy  and  place  are  admissible.  We  write  all  the  right  rules  in  Figure  3.1 
with  a  construct  T;  A;  f)  ==>■  A  Ivl  that  matches  both  sequents  of  the  form  T;  A;  =>■  A  true 
and  sequents  of  the  form  T;  A;  f)  =>■  A  lax  -  in  other  words,  we  treat  Ivl  as  a  metavariable 
(“level”)  that  stands  for  judgments  true  or  lax  on  the  right.  The  use  of  this  construct  gives  us 
right  rules  for  A  ©  B  that  look  like  this: 


T;  A;  f)  =>■  A  true  ^ 

T;  A;  =*►  A  ©  B  Ivl  ®R1 


T:  A:  f)  =>•  B  true 
- - - - - 

r;  A;  n  =►  A  ©  B  Ivl 


The  metavariable  U  is  even  more  generic,  standing  for  an  arbitrary  succedent  A  true  or  A  lax. 
Putting  the  pieces  of  ordered  linear  lax  logic  together  into  one  sequent  calculus  in  Figure  3.1  is  a 
relatively  straightforward  proof-theoretic  exercise;  the  language  of  propositions  is  as  follows: 

Propositions  A,  B,  C  ::=  p  \  \A  \  \A  |  O A  \ 

1\A»B\A^B\A^B\0\AOB\T\A&B\ 

3 a:r.A  \  Va:r  |  t  =T  s 

The  connectives  and  1,  0,  A  ©  B,  T,  and  A  &  B  were  not  mentioned  above  but  are  closely 
analogous  to  their  counterparts  in  linear  logic.  The  first-order  connectives  3 a:r.A,  Va:r,  and 
t  =T  s  will  be  discussed  presently. 
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Atomic  propositions 


Exponentials 


id 


T;  A;  • 


T;A; 


r  =>plvl 

A  true  T;  A,  A;  flR,  flR  ==>•  U 

r-A-nL/-{A/nR=^u 


■  \Alvl 
A  true 


I R 


I L 


rv 

r; 

T;  A;  Q,  A  lax 


,  r,A-,A-,nL,nR=^u  , 
r;.;.  =>  \Aivi  'R  r-,A-,nL/\A/nR  =>  u  'L 


r;  A;  QLl  A,  Qr  ==$■  C  lax 
Or  -  A  ^  - —T7~, —  O l 


r;A;fi=*-C  Alvl  T-A-,nL/oA/QR=^Clax 

Multiplicative  connectives 

r;A  -,nL,nR^u 

t~\.  a  .  /i  v  tt 


r;  •; 


1  Ivl 


t-,a-,ql/i/sir=>u 


T;  A\Ql  ==>■  A  true  T;  A;  ClR  =>•  B  true  T;  A;  ClR,  A,  B,  QR  U 


T;  Ai,  A2;  Qr  = =$■  A*  B  Ivl 


*R 


r;A  -,nL/A*B/nR  =>  u 


r;  A;  A,Q  ==>  B  true  T;  Aa]&a  =>•  A  true  T;  A;  B,  S}R ;  U 

yR  r;  Aa,  A;  nL,  nA/A  ~  =>  c7  ~L 

T;  A^;  VLa  =>  A  true  T;  A;  ElR,  B,  QR  ==>  U 

"R  r;  aa,  A;  nL/A  -  b/sia,  nR=^u 


r;  A;  n  =►  A  >->  B  Ivl 

T;  A;  Q,  A  =>  B  true 
T;A;Q=vA^B  Ivl 


Additive  connectives 


T;  A;  Q  ==>  A  true  T;  A;  fl  =>•  B  true 

r-,A-,nL/o/nR  =>  u  °L  r;  a;  n  =»  a  ®  b  m  ®R1  r;  a;  n  =»  a  ©  5  hi  ®m 


T;  A;  ClR,  A,  QR  = =>  U  T;  A;  B,  QR 


u 


r;  a  -,nL/A®B/nR  =►  c/ 


®L 


T;  A;  Q  ==>  ^4  irae  T;  A;  ==>•  F?  trae 
r;  A; n  =>  t  hi  Tr  r-,A-,n=>  a&b ivl 


r ;  A;  Qr,  A,  Qr  =>-  U 


&L1 


r-,A-,nL,B,nR=>u 


T;A-nL/A&B/nR=^U  T-,A-,nL/A&B/SlR=>U 


&L2 


Figure  3.1:  Propositional  ordered  linear  lax  logic 
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'F  h  t  :  r  T;  A;  fl  =>-  [t/a\B  true 


^ht:r  V-,r-,A-,nL,[t/a]B,nR=>U  w 

- .T,  -n  A  o  /W - F77F; - TT7 - 


'F;  r;  A;  nL/Va:T.B/nR  =*►  U 


—L 


Figure  3.2:  First-order  ordered  linear  lax  logic 


3.1.1  First-order  logic 

The  presentation  in  Figure  3.1  is  propositional;  by  uniformly  adding  a  first-order  context  ’F  to  all 
sequents  it  can  be  treated  as  first-order.  We  define  quantification  (existential  and  universal),  as 
well  as  first-order  equality,1  in  Figure  3.2. 

The  equality  proposition  t  =T  s  is  an  interesting  addition  to  our  presentation  of  the  logic, 
and  will  be  present  in  the  framework  SLS  defined  in  the  next  chapter,  albeit  in  a  highly  restricted 
form.  Equality  in  SLS  will  be  used  primarily  in  the  logical  transformations  presented  in  Chap¬ 
ter  7  and  in  the  program  analysis  methodology  in  Chapter  8.  The  left  rule  for  equality  t  =T  s 
has  a  higher-order  premise,  in  the  sense  that  it  reflects  over  the  definition  of  simultaneous  term 
substitutions  \F7  F  cr  :  \F  and  over  the  syntactic  equality  judgment  for  first-order  terms  t  =  s. 
We  used  this  exact  style  of  presentation  previously  in  [SPllb],  but  the  approach  is  based  on 
Schroeder-Heister’s  treatment  of  definitional  reflection  [SH93]. 

In  one  sense,  the  left  rule  =l  is  actually  a  rule  schema:  there  is  one  premise  for  each  substitu¬ 
tion  a  that  is  a  unifier  for  t  and  s  (a  unifier  is  any  substitution  a  that  makes  at  and  as  syntactically 
identical).  When  we  induct  over  the  structure  of  proofs,  there  is  correspondingly  one  smaller  sub¬ 
derivation  for  each  unifying  substitution.  By  this  reading,  =L  is  a  rule  that,  in  general,  will  have 
countably  many  premises;  in  the  case  of  a  trivially  satisfiable  equality  problem  like  x  =T  x  it  will 
have  one  premise  for  each  well-formed  substitution  that  substitutes  a  term  of  the  appropriate  type 
for  x.  However,  as  suggested  by  Zeilberger  [Zei08a],  it  is  more  auspicious  to  take  the  higher- 
order  formulation  at  face  value:  the  premise  is  actually  a  (meta-level)  mapping  -  a  function  -  that 
takes  a  substitution  a,  the  codomain  \F7  of  that  substitution,  and  any  evidence  necessary  to  show 
that  a  unifies  t  and  s  and  returns  a  derivation  of  'F';  oT;  a  A;  aQR  = =>•  all.  When  we  in¬ 
duct  over  the  structure  of  proofs,  the  result  of  applying  any  unifying  substitution  to  this  function 
is  a  smaller  subderivation  for  the  purpose  of  invoking  the  induction  hypothesis.  This  functional 
interpretation  will  be  reflected  in  the  proof  terms  we  assign  to  focused  OL3  in  Section  3.3.3. 

There  are  two  important  special  cases.  First,  an  unsatisfiable  equation  on  the  left  implies  a 
contradiction,  and  makes  the  left  rule  for  equality  equivalent  (at  the  level  of  provability)  to  one 

'That  is,  equality  of  terms  from  the  domain  of  first-order  quantification. 
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with  no  premises.  For  instance,  this  means  that 


no  unifier  for  t  and  s 


^r;A -nL/t  =T  s/nR^u 


is  derivable  -  a  unifier  is  just  a  substitution  a  such  that  at  and  as  are  syntactically  identical.  The 
other  important  special  case  is  when  t  and  s  have  a  most  general  unifier  amgu,  which  just  means 
that  for  all  b  a  :  'F  such  that  at  =  as,  it  is  the  case  that  a  =  a'  o  amgu  for  some  a'.2  In  this 
case,  the  left  rule  for  equality  is  equivalent  (again,  at  the  level  of  determining  which  sequents  are 
provable)  to  the  following  rule: 


a  =  mgu(t,s)  T'  b  a  :  T  T';  oT;  a  A]  oQl,  aQR  =>  aU 


yes 


Therefore,  given  a  first-order  domain  in  which  any  two  terms  are  decidably  either  non-unifiable 
or  unifiable  with  a  most  general  unifier,  we  can  choose  to  define  the  logic  with  two  rules  =no  and 
=yes\  the  resulting  logic  will  be  equivalent,  at  the  level  of  derivable  sequents,  to  the  logic  defined 
with  the  =l  rule. 

We  have  not  yet  thoroughly  specified  the  type  and  term  structure  of  first-order  individuals;  in 
Section  4. 1  we  clarify  that  these  types  and  terms  will  actually  be  types  and  terms  of  Spine  Form 
LF.  This  does  mean  that  we  will  have  to  pay  attention,  in  the  proofs  of  this  chapter,  to  the  fact 
that  the  types  of  first-order  terms  r  are  dependent  types  that  may  include  terms  t.  Particularly 
relevant  in  this  chapter  will  be  simultaneous  substitutions  a:  the  judgment  T'  h  a  :  T  expresses 
that  cr  can  map  terms  and  propositions  defined  in  the  context  T  (the  domain  of  the  substitution) 
to  terms  and  propositions  defined  in  the  context  XV  (the  range  of  the  substitution).  Simultaneous 
substitutions  are  defined  more  carefully  in  Section  4.1.2  and  in  [NPP08]. 

3.2  Substructural  contexts 

First-ordered  linear  lax  logic  has  a  lot  of  contexts  -  the  persistent  context  T,  the  linear  context 
A,  the  ordered  context  Q,  and  the  first-order  context  T.  In  most  presentations  of  substructural 
logics,  the  many  contexts  primarily  serve  to  obscure  the  logic’s  presentation  and  ensure  that  the 
ETp;X  code  of  figures  and  displays  remains  permanently  unreadable.  And  there  are  yet  more 
contexts  we  might  want  to  add,  such  as  the  affine  contexts  present  in  the  Celf  implementation 
[SNS08], 

In  this  section,  we  will  consider  a  more  compact  way  of  dealing  with  the  contexts  that  we  in¬ 
terpret  as  containing  resources  (persistent,  affine,  linear,  or  ordered  resources),  though  we  choose 
to  maintain  the  distinction  between  resource  contexts  and  first-order  variable  contexts  T.  The 
particular  way  we  define  substructural  contexts  can  be  generalized  substantially:  it  would  be 
possible  to  extend  this  presentation  to  the  affine  exponential  @A,  and  we  conjecture  that  the 
subexponentials  discussed  by  Nigam  and  Miller  [NM09]  -  as  well  as  richer  logics  like  the  logic 
of  bunched  implications  [Pym02]  -  could  be  given  a  straightforward  treatment  using  this  nota¬ 
tion. 

2Where  o  is  composition  -  (cr'  o  amgu)t  =  a'{amgUt). 
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We  write  unified  substructural  contexts  as  either  A  or  5,  preferring  the  latter  when  there  is  a 
chance  of  confusing  them  with  linear  contexts  A.  For  the  purposes  of  encoding  OL3,  we  can  see 
these  contexts  as  sequences  of  variable  declarations,  defined  by  the  grammar 

S  ::=  •  j  S,  x\T  ord  |  S,  x:T  eph  |  S,  x:T  pers 

where  each  of  the  variables  x  are  distinct,  so  that  the  context  also  represents  a  finite  map  from 
variables  x  to  judgments  T  Ivl,  where  Ivl  is  either  ord,  eph,  or  pers.  By  separating  out  a  sub- 
structural  context  into  three  subsequences  of  persistent,  linear,  and  ordered  judgments,  we  can 
recover  the  presentations  of  contexts  for  OL3  given  in  Figure  3.1.  We  will  use  this  observation 
in  an  informal  way  throughout  the  chapter,  writing  H  =  F:  A:  Q. 

The  domain  represented  by  the  metavariable  T  is  arbitrary:  when  discussing  the  unfocused 
logic  given  in  Figure  3.1,  T  varies  over  unpolarized  propositions  A,  but  when  discussing  a  fo¬ 
cused  logic  in  Section  3.3  it  will  vary  over  stable  negative  propositions  A~,  positive  suspended 
propositions  (/1+),  focused  negative  propositions  [/V  |.  and  inverting  positive  propositions  A+. 

The  key  innovation  in  this  presentation  was  already  present  in  the  unfocused  logic  shown  in 
Figure  3.1:  we  need  to  differentiate  constructions,  which  appear  in  the  premises  of  rules,  and 
matching  constructs,  which  appear  in  the  conclusions  of  rules.  The  notation  T;  A;  VlL/A  •  B/QR 
that  appears  in  the  conclusion  of  is  a  matching  construct;  as  discussed  in  Section  3.1,  there 
are  multiple  ways  in  which  a  context  T';  A';  fT  could  match  this  context,  because  A  •  B  could 
come  from  any  of  the  three  contexts.  However,  T;  A;  Ql,  A,  B,  1 1 a  in  the  premise  of  •/,  is  a 
construction,  and  is  unambiguously  equal  to  only  one  context  T';  A';  O'  —  the  one  where  T'  =  T, 
A'  =  A,  and  fT  =  QL,  A,  B,  QR. 


3.2.1  Fundamental  operations  on  contexts 

The  first  fundamental  idea  we  consider  is  singleton  contexts.  We  construct  a  single-element  con¬ 
text  by  writing  x:T  Ivl.  The  corresponding  matching  construct  on  contexts  is  x:T.  In  unfocused 
OL3,  we  say  that  H  matches  x:A  if  its  decomposition  into  persistent,  linear,  and  ordered  contexts 
matches  T;  •;  /A/.  Specifically, 


Definition  3.1  (Sole  membership).  H  matches  x:T  if 

*  S  contains  no  linear  judgments  and  contains  exactly  one  ordered  judgment  x:T  ord  (cor¬ 
responding  to  the  situation  where  S  =  T;  •;  T), 

*  H  contains  no  ordered  judgments  and  contains  exactly  one  linear  judgment  x:T  eph  (cor¬ 
responding  to  the  situation  where  S  =  T;  T;  •),  or 

*  S  contains  only  persistent  judgments,  including  x:T  pers  (corresponding  to  the  situation 
where  S  =  T,  T;  •;  •). 


Sole  membership  is  related  to  the  initial  sequents  and  the  matching  construct  T;  •;  /A/  for 
contexts  that  was  used  in  Figure  3.1.  We  could  rewrite  the  id  rule  from  that  figure  as  follows: 


x:p 


p  Ivl 


id 
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As  with  all  rules  involving  matching  constructs  in  the  conclusion,  it  is  fair  to  view  the  matching 
construct  as  an  extra  premise;  thus,  the  id  rule  above  is  the  same  as  the  id  rule  below: 


5  matches  x:p 


id 


p  Ivl 


The  second  basic  operation  on  contexts  requires  a  new  concept,  frames  O.  Intuitively,  we  can 
view  a  frame  as  a  set  of  persistent,  linear,  and  ordered  contexts  where  the  ordered  context  is  miss¬ 
ing  a  particular  piece.  We  can  write  this  missing  piece  as  a  box:  T;  A;  ttL,  □,  Alternatively, 
we  can  think  of  a  frame  as  a  one-hole  context  or  Huet-style  zipper  [Hue97]  over  the  structure  of 
substructural  contexts.  We  will  also  think  of  them  morally  as  linear  functions  (AH.  H l,  H,  Er)  as 
in  [Sim09]. 

The  construction  associated  with  frames,  0{E},  is  just  a  straightforward  operation  of  filling 
in  the  hole  or  /^-reducing  the  linear  function;  doing  this  requires  that  the  variables  in  0  and  H  be 
distinct.  If  we  think  of  0  informally  as  T;  A;  VlL,  □,  QR,  then  this  is  almost  like  the  operation  of 
filling  in  the  hole,  as  0{x:A  ord}  =  T;  A;  Ql,  A,  The  main  difference  is  that  we  can  also 
use  the  operation  to  insert  linear  propositions  (@{x:A  eph }  =  T:  A,  A:  [}L,  QA>)  and  persistent 
propositions  ( 0{x:Apers }  =  T,  A;  A;  QL,  QR). 

The  construction  associated  with  frames  is  straightforward,  but  the  matching  construct  as¬ 
sociated  with  frames  is  a  bit  more  complicated.  Informally,  if  we  treat  linear  contexts  as  mul¬ 
tisets  and  say  that  H  =  T;  A,  A';  IT,  f)#,  then  we  can  say  H  =  ©{[S']}  in  the  case  that 
0  =  T;  A;  D,QR  and  S'  —  T;  A';  O'.  The  sub-context  S',  then,  has  been  framed  off  from  H, 
its  frame  is  0.  If  we  only  had  ordered  judgments  T  ord,  then  the  framing-off  matching  construct 
0{{E'}}  would  be  essentially  the  same  as  the  construction  form  @{E'}.  However,  persistent  and 
linear  judgments  can  be  reordered  in  the  process  of  matching,  and  persistent  judgments  always 
end  up  in  both  the  frame  and  the  framed-off  context. 

Definition  3.2  (Framing  off).  E  matches  ©{{S'}}  if  the  union  of  the  variables  in  0  and  S'  is 
exactly  the  variables  in  E  and 

*  if  x'.T  pers  G  E,  then  the  same  variable  declaration  appears  in  0  and  S'; 

*  if  x:T  eph  G  E  or  x:T  ord  G  E,  then  the  same  variable  declaration  appears  in  0  or  S' 
(but  not  both); 

*  in  both  0  and  S',  the  sequence  of  variable  declarations  x:T  ord  is  a  subsequence  ofE; 
and 

*  if  x\T  ord  G  0,  then  either 


■  for  all  y:T'  ord  G  S',  the  variable  declaration  for  x  appeared  before  the  variable 
declaration  for  y  in  E,  or 

■  for  all  y:T'  ord  G  S',  the  variable  declaration  for  x  appeared  after  the  variable 
declaration  for  y  in  E. 


We  can  use  the  framing-off  notation  to  describe  one  of  the  cut  principles  for  ordered  linear 
lax  logic  as  follows: 


A  true  Q{x:A  true}  ==>-  C  true 


cut 
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Especially  for  the  eventual  proof  of  this  cut  principle,  it  is  important  to  consider  that  the  admis¬ 
sible  rule  above  is  equivalent  to  the  following  admissible  rule,  which  describes  the  matching  as 
an  explicit  extra  premise: 


A  true  Q{x\A  true}  =>-  C  true 
S'  =>■  C  true 


l'  matches  0{{E}} 


cut 


An  important  derived  matching  construct  is  (-){{x:T }},  which  matches  E  if  E  matches  (-) {{ S' }} 
for  some  S'  such  that  S'  matches  x:T.  This  notation  is  equivalent  to  the  matching  construct 
T;  A;  iljJ A/iln  =r  U  from  Figure  3.1,  which  is  need  to  describe  almost  every  left  rule  for 
OL3.  Here  are  three  rules  given  with  this  matching  construct: 

@{y:A  ord}  =>  U  &{z:B  ord}  =>  U  Q{y:Aord}^U  0{y:B  ord}  =>  U 
0{{a::A©fi}  =*►  U  0{{a::A  &  B}  =*►  U  0^a;:A  &  B}  =*►  U 

To  reemphasize,  the  reason  we  use  the  matching  construct  0^a;:A^  in  the  conclusions  of 
rules  is  the  same  reason  that  we  used  the  notation  T;  A;  Ql/A/Qr  in  Figures  3.1  and  3.2:  it 
allows  us  to  generically  talk  about  hypotheses  associated  with  the  judgments  ord,  eph,  and  pens. 
The  following  rules  are  all  derivable  using  the  last  of  the  three  rules  above: 

Q{y:B  ord}  =>■  U  Q{y:B  ord}  =>■  U  Q{x:A  &  B  pers,y:B  ord}  ==>•  U 

Q{x\A  &  B  ord}  =>•  U  Q{x\A  &  B  eph}  =>•  U  Q{x\A  &  B  pers}  =>-  U 

The  consistent  use  of  matching  constructs  like  0j{  A]}  in  the  conclusion  of  rules  is  also  what 
gives  us  the  space  to  informally  treat  syntactically  distinct  sequences  of  variable  declarations 
as  equivalent.  As  an  example,  we  can  think  of  (x:A  eph,y\B  eph )  and  (y.B  eph,x:A  eph )  as 
equivalent  by  virtue  of  the  fact  that  they  satisfy  the  same  set  of  matching  constructs.  Obviously, 
this  means  that  none  of  the  matching  constructs  presented  in  the  remainder  of  this  section  will 
observe  the  ordering  of  ephemeral  or  persistent  variable  declarations. 


3.2.2  Multiplicative  operations 

To  describe  the  multiplicative  connectives  of  OF3,  including  the  critical  implication  connectives, 
we  need  to  have  multiplicative  operations  on  contexts.  As  a  construction,  EL,ER  is  just  the 
syntactic  concatenation  of  two  contexts  with  distinct  variable  domains,  and  the  unit  •  is  just  the 
empty  sequence.  The  matching  constructs  are  more  complicated  to  define,  but  the  intuition  is, 
again,  uncomplicated:  if  S  =  T;  A,  A';  VtL,  VtR,  where  linear  contexts  are  multisets  and  ordered 
contexts  are  sequences,  then  E  =  S^,  if  EL  =  T;  A;  VtL  and  ER  =  T;  A';  QR.  Note  that  here 
we  are  using  the  same  notation  for  constructions  and  matching  constructs:  S^,  ER  is  a  matching 
construct  when  it  appears  in  the  conclusion  of  a  rule,  EL,  ER  is  a  construction  when  it  appears  in 
the  premise  of  a  rule. 

Definition  3.3  (Conjunction). 

S  matches  ■  if  5  contains  only  persistent  judgments. 

S  matches  5  l,  Sr  if  the  union  of  the  variables  in  5  R  and  S/,>  is  exactly  the  variables  in  S  and 
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*  if  'jy.T pers  £  H,  then  the  same  variable  declaration  appears  in  EL  and  ER; 

*  if  x:T  eph  £  E  or  x:T  ord  £  E,  then  the  same  variable  declaration  appears  in  El  orER 
( but  not  both); 

*  in  both  El  and  ER,  the  sequence  of  variable  declarations  x :  T  ord  is  a  subsequence  of  E; 
and 

*  if  x:T  ord  £  El  and  y:T'  ord  £  ER,  then  the  variable  declaration  for  x  appeared  before 
the  variable  declaration  for  y  in  5. 


The  constructs  for  context  conjunction  are  put  to  obvious  use  in  the  description  of  multiplica¬ 
tive  conjunction,  which  is  essentially  just  the  propositional  internalization  of  context  conjunction: 


A  true 


-R 


A* 


=>-  B  true 
Blvl 


Q{y:A,z:B}  ==►  U 
Olx:A»B}  =*►  U 


1  Ivl 


@j[x:l]f  =*>  U 


x:A  ord , ! 


B  true 


x:A  ord  - 


Blvl 
>  B  true 


A  -»  B  Ivl 


A  true  Q{y:B  ord}  ==>-  U 
a,x:A^B}^U 

=>■  A  true  Q{y:B  ord}  ==>■  U 
Q{{x:A^  B,Ea}}^U 


Implication  makes  deeper  use  of  context  conjunction:  E  matches  x:A  ^  B]}  exactly 

when  there  exist  E’  and  E"  such  that  H  matches  ©([S']},  E’  matches  EA,  E",  and  x:A  >—>  B 
matches  E" . 


3.2.3  Exponential  operations 

The  exponentials  !  and  j  do  not  have  a  construction  form  associated  with  them,  unless  we  view  the 
singleton  construction  forms  x:T  pers  and  x : T  eph  as  being  associated  with  these  exponentials. 
The  matching  construct  is  quite  simple:  E  matches  E  \  if  E  contains  no  ephemeral  or  ordered 
judgments  -  in  other  words,  it  says  that  S  =  T;  •;  •.  This  form  can  then  be  used  to  describe  the 
right  rule  for  l  A  in  unfocused  OL3: 

E  =^>  A  true 
vipers  =►  }-AM 

Similarly,  E  matches  E \eph  if  E  contains  no  ordered  judgments  (that  is,  if  E  =  T;  A;  ■)•  5  always 
matches  E\ord;  we  don’t  ever  explicitly  use  this  construct,  but  it  allows  us  to  generally  refer  to 
S  \lvl  in  the  statement  of  theorems  like  cut  admissibility. 

The  exponential  matching  constructs  don’t  actually  modify  contexts  in  the  way  other  match¬ 
ing  constructs  do,  but  this  is  a  consequence  of  the  particular  choice  of  logic  we’re  considering. 
Given  affine  resources,  for  instance,  the  matching  construct  associated  with  the  affine  connective 
A  A  would  clear  the  context  of  affine  facts:  E  matches  E’  \pers  if  E  has  only  persistent  and  affine 
resources  and  E’  contains  the  same  persistent  resources  as  E  but  none  of  the  affine  ones. 

We  can  describe  a  mirror-image  operation  on  succedents  U.  U  matches  U  [lax  only  if  it  has  the 
form  T  lax,  and  U  always  matches  U[true.  The  latter  matching  construct  is  another  degenerate 
form  that  similarly  allows  us  to  refer  to  U[lvl  as  a  generic  matching  construct.  We  write  A\lvl  as 
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In  the  context  A 

stable  propositions  x:A~  ord ,  eph ,  pers 

suspended  propositions  (also  stable)  x\(A+)  ord,  eph,  pers 

focused  propositions  :r:[A_]  ord 

inverting  propositions  x:A+  ord 


As  the  succedent  U 

A+  true,  lax 
( A~ )  true,  lax 
[A+]  true 
A~  true 


Figure  3.3:  Summary  of  where  propositions  and  judgments  appear  in  OL3  sequents 

a  judgment  to  mean  that  A  matches  A\lvl,  and  write  U  [lvl  as  a  judgment  to  mean  that  U  matches 

U(lvl. 

The  context  constructions  and  context  matching  constructs  that  we  have  given  are  summa¬ 
rized  as  follows: 

Constructions  A,  H  ::=  x:T  lvl  j  ©{A}  |  •  |  A,H 

Matching  constructs  A,  H  ::=  x:T  |  @j{A]f  |  •  |  A,  5  |  A  \lvl 

3.3  Focused  sequent  calculus 

A  sequent  in  the  focused  sequent  calculus  presentation  of  OL3  has  the  form  T;  A  b  U,  where 
T  is  the  first-order  variable  context,  A  is  a  substructural  context  as  described  in  the  previous 
section,  and  U  is  a  succedent.  The  domain  T  of  the  substructural  context  consists  of  stable 
negative  propositions  A-,  positive  suspended  propositions  (A+),  focused  negative  propositions 
[A-],  and  inverting  positive  propositions  A+. 

The  form  of  the  succedent  U  is  T  lvl,  where  lvl  is  either  true  or  lax;  in  this  way,  U  is  just  a  like 
a  special  substructural  context  with  exactly  one  element  -  we  don’t  need  to  care  about  the  name 
of  the  variable,  because  there’s  only  one.  The  domain  of  T  for  succedents  is  complementary  to 
the  domain  of  T  for  contexts:  stable  positive  propositions  A+,  negative  suspended  propositions 
(A-),  focused  positive  propositions  [A+],  and  inverting  negative  propositions  A-. 

Figure  3.3  summarizes  the  composition  of  contexts  and  succedents,  taking  into  account  the 
restrictions  discussed  below. 

3.3.1  Restrictions  on  the  form  of  sequents 

A  sequent  T;  A  b  U  is  stable  when  the  context  A  and  succedent  U  contain  only  stable  proposi¬ 
tions  (A-  in  the  context,  A+  in  the  succedent)  and  suspended  propositions  ((A+)  in  the  context, 
(A-)  in  the  succedent).  We  adopt  the  focusing  constraint  discussed  in  Chapter  2:  there  is  only 
ever  at  most  one  focused  proposition  in  a  sequent,  and  if  there  is  focused  proposition  in  the 
sequent,  then  the  sequent  is  otherwise  stable.  A  restriction  on  the  rules  focus L  and  focus R  (pre¬ 
sented  below  in  Figure  3.5)  is  sufficient  to  enforce  this  restriction:  reading  rules  from  top  down, 
we  can  only  use  a  rule  focus L  or  focus R  to  prove  a  stable  sequent,  and  reading  rules  from  bottom 
up,  we  can  only  apply  focus L  or  focus R  when  we  are  searching  for  a  proof  of  a  stable  sequent. 
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Because  there  is  always  a  distinct  focused  proposition  in  a  sequent,  we  do  not  need  a  variable 
name  to  reference  the  focused  proposition  in  a  context  A  any  more  than  we  need  a  variable 
name  to  reference  the  unique  member  of  the  context-like  succedent  U.  Therefore,  we  can  write 
[B  ord  instead  of  x:\I3  ]  ord.  Furthermore,  for  presentation  of  focusing  that  we  want  to  give 
it  suffices  to  restrict  focused  propositions  and  inverting  propositions  so  that  they  are  always 
associated  with  the  judgment  ord  (on  the  left)  or  true  (on  the  right).  With  this  restriction,  we 
can  write  [ A~ )  and  x:A+  instead  of  [A~]  ord  and  x:A+  ord  in  A,  and  we  can  write  [A+]  and  A~ 
instead  of  [A+]  true  and  A~  true  for  U. 

In  a  confluent  presentation  of  focused  logic  like  the  one  given  for  linear  logic  in  Chapter  2, 
that  would  be  as  far  as  we  could  take  our  simplifications.  However,  this  presentation  will  use 
a  fixed  presentation  of  logic  as  described  in  Section  2.3.8.  If  there  is  more  than  one  invertible 
proposition  in  a  sequent,  only  the  leftmost  one  will  be  eligible  to  have  a  rule  or  matching  applied 
to  it.  All  the  propositions  in  A  are  treated  as  being  to  the  left  of  the  succedent  U ,  so  we  always 
prioritize  inversion  on  positive  propositions  in  A.  With  this  additional  restriction,  it  is  always 
unambiguous  which  proposition  we  are  referring  to  in  an  invertible  rule,  and  we  write  A+  instead 
of  x\A+  or  x\A+  ord. 

We  will  maintain  the  notational  convention  (only)  within  this  chapter  that  first-order  variables 
are  written  as  a,  variables  associated  with  stable  negative  propositions  are  written  as  x,  and 
variables  associated  with  suspended  positive  propositions  are  written  as  z. 

In  summary,  the  four  forms  of  sequent  in  focused  OL3,  which  we  define  the  rules  for  in 
Section  3.3.3  below,  are: 

*  Right  focused  sequents  $;Ah  [A+]  (where  A  is  stable,  containing  only  variable  declara¬ 
tions  x:  A  Ivl  or  z:(A+)  Ivl), 

*  Inversion  sequents  \P;  A  b  U  (where  A  contains  variable  declarations  x:A~  Ivl,  z:(A+)  Ivl 
and  inverting  positive  propositions  A+  and  where  U  is  either  A+  Ivl,  (A-)  Ivl,  or  an  invert¬ 
ing  negative  proposition  A~ ), 

*  Stable  sequents,  the  special  case  of  inversion  sequents  that  contain  no  inverting  positive 
propositions  in  A  or  inverting  negative  propositions  in  U. 

*  Left  focused  sequents  T;  0{[A+]}  F  U  (where  0  and  U  are  stable  -  0  contains  only 
variable  declarations  x:A~  Ivl  or  z:(A+)  Ivl  and  U  is  either  A+  Ivl  or  (A-)  Ivl). 

3.3.2  Polarized  propositions 

The  propositions  of  ordered  logic  are  fundamentally  sorted  into  positive  propositions  A+  and 
negative  propositions  A~ ;  both  classes,  and  the  inclusions  between  them,  are  shown  in  Figure  3.4. 
The  positive  propositions  have  a  refinement,  permeable  propositions  A+rs,  that  is  analogous  to 
the  refinement  discussed  for  linear  logic  in  Section  2.5.4.  There  is  also  a  more  generous  refine¬ 
ment,  the  mobile  propositions,  A+ph,  for  positive  propositions  that  do  not  mention  |  but  that  may 
mention  j .  We  introduce  atomic  propositions  p+  that  stand  for  arbitrary  positive  propositions, 
mobile  atomic  propositions  p~ph  that  stand  for  arbitrary  mobile  propositions,  and  persistent  ppers 
that  stand  for  arbitrary  permeable  propositions.  We  treat  A+rd  and  p+rd  as  synonymous  with  A+ 
and  p+,  respectively,  which  allows  us  to  generically  refer  to  A+vl  and  p^  in  rules  like  ?/+  and  in 
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Figure  3.4:  Propositions  of  polarized  OL3 
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the  statement  of  the  identity  expansion  theorem. 

Negative  propositions  also  have  a  refinement,  A[ax,  for  negative  propositions  that  do  not  end 
in  an  upshift  ^ 'A+  or  in  a  negative  atomic  proposition  p~.  This  is  interesting  as  a  formal  artifact 
and  there  is  very  little  overhead  involved  in  putting  it  into  our  development,  but  the  meaning 
of  this  syntactic  class,  as  well  as  the  meaning  of  right-permeable  atomic  propositions  pjax,  is 
unclear.  Certainly  we  do  not  want  to  include  such  propositions  in  our  logical  framework,  as  to 
do  so  would  interfere  with  our  development  of  traces  as  a  syntax  for  partial  proofs  in  Chapter  4. 

The  presentation  of  the  exponentials,  and  the  logic  that  we  now  present,  emphasizes  the 
degree  to  which  the  shifts  f  and  |  have  much  of  the  character  of  exponentials  in  a  focused 
substructural  logic.  The  upshift  f A+  is  like  an  ordered  variant  of  the  lax  truth  C)A+  that  puts 
no  constraints  on  the  form  of  the  succedent,  and  the  downshift  A~  is  like  an  ordered  variant  of 
the  persistent  and  linear  exponentials  FT  and  \A~  that  puts  no  constraints  on  the  form  of  the 
context.  This  point  is  implicit  in  Laurent’s  dissertation  [Lau02].  In  that  dissertation,  Laurent 
defines  the  polarized  LLP  without  the  shifts  and  |,  so  that  the  only  connection  points  between 
the  polarities  are  the  exponentials.  Were  it  not  for  atomic  propositions,  the  resulting  logic  would 
be  more  persistent  than  linear,  a  point  we  will  return  to  in  Section  3.7. 


3.3.3  Derivations  and  proof  terms 

The  multiplicative  and  exponential  fragment  of  focused  OL3  is  given  in  Figure  3.5,  the  additive 
fragment  is  given  in  Figure  3.6,  and  the  first-order  connectives  are  treated  in  Figure  3.7.  We 
follow  the  convention  of  using  matching  constructs  in  the  conclusions  of  rules  and  constructions 
in  the  premises  with  the  exception  of  rules  that  are  at  the  leaves,  such  as  id+  and  =/,>,  where  we 
write  out  the  matching  condition  as  a  premise. 

These  rules  are  all  written  with  sequents  of  the  form  'F;  A  F  E  :  U ,  where  E  is  a  proof  term 
that  corresponds  to  a  derivation  of  that  sequent.  Just  as  sequent  forms  are  divided  into  the  right- 
focused,  inverting,  and  left-focused  sequents,  we  divide  expressions  into  values  V,  derivations 
of  right-focused  sequents;  terms  N,  derivations  of  inverting  sequents;  and  spines  Sp,  derivations 
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Focus,  identity,  and  atomic  propositions 


A  h  V  :  [A+] 
A\~V:A+lvl 
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0{[A"]}  h  Sp:U 
01x:A_}  h  x  ■  Sp  :  U 
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®{z:(Pm)  ^  N  :  U  +  A  matches  z\{A+) 
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Ah  N  :  ( pM )  Ivl  _  A  matches  [A  ] 

A  h  (AT)  :  p-  71  A  h  NIL  :  (A~)  Ivl  %d 

Shifts  and  modalities 

Ah  N  :  A~  |  0{x:-A~  ord}  h  N  :U 

Ah  IN:  [|A-]  ©IfA”}  h  \jc.N  :  U  ^ L 

Ah  N  :  A~  .  0{x:A“  eph}  h  N  :  U  . 

* -  I  D  -  j  r 

Af^hjA:^-]  ©fi^-1  h 

A  h  N  :  A~  ,  &{x:A~  pers}  h  N  :U  ( 

Atpers  h  IN  :  [!A-]  0{L4-}  h  \x.N  :  U  L 

Ah  N  :A+  true  f  0{A+}  h  N  :  U 

A  h  fN  :  fA+  R  0{[tA+]}htiV:C/  L 

Ah  N:A+lax  &{A+}hN:U 

A  h  {N}  :  OA+  R  0{[Oi4+]}  h  {N}  :  U[lax 


Multiplicative  connectives 

A  matches  •  0{-}  h  N  :  U 

A  h  ()  :  [1]  lR  011}  h  QJV  :  U  ll 

Ai  h  Vi  :  [A+]  A2hy2:  [B+]  m  0{A+,  B+}  h  N:U 
Ai,A2hli.y2:  [A+»B+]  *R  Q{A+»B+}  h  »N  :  U  *L 


A+,  A  h  N  :  B  _  AAhh:  [A+]  0{[5]}  h  Sp  :  U 
A  h  A <N  :  A+  >—>  B~  ~ R  0{A^,  [A  >->  B ]}  h  V<Sp  :  U 


A,A+hN:B~  _  Aa  h  V  :  [A+]  @{[B}}  h  Sp  :  U 

A  h  A >N  :  A+  -»  B~  ~*R  ©{[A  -*  B],  Aa}  h  V> Sp  :  U 


Figure  3.5:  Multiplicative,  exponential  fragment  of  focused  OL3  (contexts  'f  suppressed) 
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Figure  3.6:  Additive  connectives  of  focused  OL3  (contexts  suppressed) 

$h  t-.T  f;Ah  V:[[t/a]A+]  $,a:r;0{A+}hJV:(/ 

$;Ah  t,V  :  [3ci:t.A+]  R  0{3a:r.A+}  h  a.N  :  U  3 L 

f,a:r;AhJV:A"  w  $hhr  '^■,Q{[[t/a]A~]}  \~  Sp  :  U  ^ 
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A  matches  ■  _  V(XI//  h  a  :  \7).  at  =  as  — >  'I'/;(J0{-}  h  4>{a)  :  all 

f;Ah  REFL  :t=Tt~R  'F;  Q{t  =T  s}  h  UNIF  (fn  a  =»  (j>(a))  :  U 


Figure  3.7:  First-order  connectives  of  focused  OL3 


of  left-focused  sequents.  The  structure  of  values,  terms,  and  spines  is  as  follows: 

Values  V  ::=  z  |  4JV  |  \N  \  \N  \  ()  |  Vx  •  V2  |  INl(V)  |  inr(V)  \t,V\  REFL 

Terms  N  ::=  V  |  x  ■  Sp  |  (z).N  \  (N)  \  ix.N  \  ; x.N  \  lx.N  \  t N  \  {Ah} 

|  ().N  |  »N  |  \<N  |  \>N  |  ABORT  |  [N1:N2]  |  T  |  Ahx  &  Ah2  |  a.Ah  |  [a], Ah 
|  UNIF  (fn  a  0(a)) 

Spines  Sp  ::=  nil  |  "[N  \  {Ah}  |  V<Sp  \  V> Sp  \  7Ti;  Sp  \  t r2;  Sp  \  [f];  Sp 

It  is  possible  to  take  a  “Curry-style”  view  of  expressions  as  extrinsically  typed,  which  means 
we  consider  both  well-typed  and  ill-typed  expressions;  the  well-typed  expressions  are  then  those 
for  which  the  sequent  'F;  A  h  E  :  U  is  derivable.  However,  we  will  take  the  “Church- style” 
view  that  expressions  are  intrinsically  typed  representatives  of  derivations:  that  is,  \F;  A  h  E  :  U 
expresses  that  E  is  a  derivation  of  the  sequent  'F;  A  h  U.  To  justify  this  close  correspondence,  we 
require  the  inductive  structure  of  expressions  to  be  faithful  to  the  inductive  structure  of  proofs; 
this  is  one  reason  that  we  don’t  introduce  the  patterns  that  are  common  in  other  proof  term 
assignments  for  focused  logic  [WCPW02,  LZH08,  Kri09].  (In  Section  4.2.4,  a  limited  syntax  for 
patterns  is  introduced  as  part  of  the  logical  framework  SLS.) 

Proof  terms  for  the  left  and  right  identity  rules  include  angle  brackets  that  reflect  the  notation 
for  suspended  propositions:  (N)  for  r]~  and  ( z).N  for  r/+.  We  distinguish  proof  terms  dealing 
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with  existential  quantifiers  from  those  dealing  with  universal  quantifiers  in  a  nonstandard  way 
by  using  square  brackets  for  the  latter:  [£];  Sp  and  [a\.N  represent  the  left  and  right  rules  for 
universal  quantification,  whereas  a.N  and  t,  V  represent  the  left  and  right  rules  for  existential 
quantification.  Other  than  that,  the  main  novelty  in  the  proof  term  language  and  in  Figures  3.5- 
3.7  is  again  the  treatment  of  equality.  We  represent  the  proof  term  corresponding  to  the  left  rule 
for  equality  as  UNIF  (fn  a  0(a)),  where  (fn  a  =»■  0(a))  is  intended  to  be  a  function  from 
unifying  substitutions  a  to  proof  terms.  This  corresponds  to  the  view  of  the  =L  rule  that  takes 
the  higher-order  formulation  seriously  as  a  function,  and  we  treat  any  proof  term  0(a))  where  a 
is  a  unifying  substitution  as  a  subterm  of  UNIF  (fn  a  =>  0(a)). 

There  are  two  caveats  to  the  idea  that  expressions  are  representatives  of  derivations.  One 
caveat  is  that,  in  order  for  there  to  be  an  actual  correspondence  between  expressions  and  terms, 
we  need  to  annotate  all  variables  with  the  judgment  they  are  associated  with,  and  we  need  to 
annotate  the  proof  terms  inr(V),  INL(V),  7Ti;  Sp,  and  7^:  Sp  with  the  type  of  the  branch  not 
taken.  Pfenning  writes  these  as  superscripts  [Pfe08],  but  we  will  follow  Girard  in  leaving  them 
implicit  [GTL89].  The  second  caveat  is  that,  because  we  do  not  explicitly  represent  the  signif¬ 
icant  bookkeeping  associated  with  matching  constructs  in  proof  terms,  if  T;  A  b  E  :  U,  then 
'k,  a:r;  A,  x:A+  pers  b  E  :  U  as  well.  Therefore,  even  given  appropriate  type  annotations,  when 
we  say  that  some  expression  E  is  a  derivation  of  \k;  A  (-  U,  it  is  only  uniquely  a  derivation  of 
that  sequent  if  we  account  for  the  implicit  bookkeeping  on  contexts.  It  is  likely  that  the  first 
caveat  can  be  largely  dismissed  by  treating  Figures  3. 5-3. 7  as  bidirectional  type  system  for  proof 
terms.  Addressing  the  second  caveat  will  require  a  careful  analysis  of  when  the  bookkeeping  on 
contexts  can  be  reconstructed,  which  we  leave  for  future  work. 

The  proof  terms  presented  here  mirror  our  formulation  of  a  logical  framework  in  the  next 
chapter.  Additionally,  working  on  the  level  of  proof  terms  allows  for  a  greatly  compressed  pre¬ 
sentation  of  cut  admissibility  and  identity  expansion  that  emphasizes  the  computational  nature 
of  these  proofs:  cut  admissibility  clearly  generalizes  the  hereditary  substitution  operation  in  so- 
called  spine  form  presentations  of  LF  [CP02],  and  identity  expansion  is,  computationally,  a  novel 
77-expansion  property  on  proof  terms.  To  be  fair,  much  of  this  compression  is  due  to  neglecting 
the  implicit  bookkeeping  associated  with  matching  constructs,  bookkeeping  that  must  be  made 
explicit  in  proofs  like  the  cut  admissibility  theorem. 

One  theorem  that  takes  place  entirely  at  the  level  of  this  implicit  bookkeeping  is  the  admis¬ 
sible  weakening  lemma:  if  A'  contains  only  persistent  propositions  and  A  is  a  derivation  of 
\k;  A  b  U,  then  N  is  also  a  derivation  of  'k;  A,  A'  b  U.  As  usual,  this  proof  can  be  established 
by  straightforward  induction  on  the  structure  of  N. 

3.3.4  Variable  substitution 

The  first-order  variables  introduced  by  universal  quantifiers  (on  the  right)  and  existential  quan¬ 
tifiers  (on  the  left)  are  proper  variables  in  the  sense  that  the  meaning  of  first-order  variables  is 
given  by  substitution  [Harl2,  Chapter  1],  A  sequent  with  free  variables  is  thus  a  generic  repre¬ 
sentative  of  all  the  sequents  that  can  be  obtained  by  plugging  terms  in  for  those  free  variables 
through  the  operation  of  substitution.  This  intuition  is  formalized  by  the  variable  substitution 
theorem,  Theorem  3.4. 
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Theorem  3.4  (Variable  substitution).  //$'  I-  a  :  T  and  f;AI-[/,  then  'F/;  a  A  b  aU. 

Proof.  On  the  level  of  proof  terms,  we  are  given  E,  a  expression  corresponding  to  a  derivation 
of  'F;  A  b  U;  we  are  defining  the  operation  oE,  an  expression  corresponding  to  a  derivation  of 
a  A  b  aU. 

Propositional  fragment  For  the  exponential,  multiplicative,  and  additive  fragments,  this  op¬ 
eration  is  simple  to  define  at  the  level  of  proof  terms,  and  we  will  omit  most  of  the  cases: 
cr(Vi  •  V2)  =  aV i  •  aV2,  a(lx.N)  =  lx.aN,  and  so  on.  (Note  that  first-order  variables  a 
do  not  interact  with  variables  x  and  z  in  the  substructural  context.)  However,  this  compact  no¬ 
tation  does  capture  a  great  deal  of  complexity.  In  particular,  it  is  important  to  emphasize  that 
we  need  lemmas  saying  that  variable  substitution  is  compatible  with  all  the  context  matching 
operations  from  Section  3.2.  In  full  detail,  these  two  simple  cases  would  be: 

-  a(V i  •  V2)  =  aVx  •  aV2 

We  are  given  a  proof  of  \F;  A  b  [A+  •  B+]  that  ends  with  the  rule;  the  subderivations 
are  V\,  a  derivation  of  T:  A |  b  [A+],  and  V2,  a  derivation  of  T:  A2  b  | B + | .  Further¬ 
more,  we  know  that  A  matches  A1;  A2.  We  need  a  lemma  that  tells  us  that  a  A  matches 
crAi,  aA2;  then,  by  rule  »r,  it  suffices  to  show  that  'F/;  a Ai  b  aA+  (which  we  have  by 
the  induction  hypothesis  on  a  and  Vi)  and  that  'F/;  aA2  b  aB+  (which  we  have  by  the 
induction  hypothesis  on  a  and  V2 ). 

-  a(lx.N)  =  lx.aN 

We  are  given  a  proof  of  'F;  A  b  U  that  ends  with  lL:  the  subderivation  is  N,  a  derivation 
of  'F:  Q{x:A~  ord}  b  U.  Furthermore,  we  know  that  A  matches  @{{|A-}}.  We  need  a 
lemma  that  tells  us  that  aA  matches  dOfjffd-};  then,  by  rule  lL,  it  suffices  to  show 
'F';  aQ{x:aA~  ord}  b  aU  (which  we  have  by  the  induction  hypothesis  on  a  and  N). 

First-order  fragment  We  will  present  variable  substitution  on  the  first-order  fragment  fully. 
Note  the  =l  rule  in  particular,  which  does  not  require  an  invocation  of  the  induction  hypothesis. 
The  cases  for  the  3  quantifier  mimic  the  ones  we  give  for  the  V  quantifier,  and  so  the  discussion 
of  these  cases  is  omitted. 

-  a(t,N)  =  ( at,aN ) 

-  a(a.Sp)  =  a.(a,a/a)Sp 

-  a(REFL)  =  REFL 

-  a(UNIF  (fn  a"  =>  f(c r")))  =  UNIF  (fn  a'  =>  f(a'  o  a)) 

We  are  given  a  proof  of  T;  A  b  U  that  ends  with  =/,;  we  know  that  A  matches  =  s]f, 
and  the  subderivation  is  f,  a  function  from  substitutions  x\>"  b  a”  :  T  that  unify  t  and 
s  to  derivations  of  'k//;  a"0{-}  b  a"U.  We  need  a  lemma  that  tells  us  that  aA  matches 
a(-){{af  =  a.s}};  then,  by  rule  =L,  it  suffices  to  show  that  for  all  T"  b  a'  :  'f'  that  unify  at 
and  as,  there  exists  a  derivation  of  VF";  a'(a0){-}  b  a'(aU),  which  is  the  same  thing  as  a 
derivation  of  'T//;  (a'  o  a)0{-}  b  (a'  o  a)U .  We  have  that  Tr"  b  a’  o  a  :  T,  and  certainly 
a'  o  a  unifies  t  and  s,  so  we  can  conclude  by  passing  a'  o  a  to  f. 
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-  cr([a\.N)  =  [a].(er,  a/a)N 

We  are  given  a  proof  of  4b  A  b  \/a:r.A~  that  ends  with  \/R;  the  subderivation  is  N,  a 
derivation  of  \l/,a:T;  A  b  A~.  Because  cr(Va:r.A“)  =  \/a:ar.(a,  a/a)A~ ,  by  rule  Vr  it 
suffices  to  show  4/',  a:crr;  a  A  b  (a,  a/a)A~. 

This  is  the  same  thing  as  'k/,a:crr;  (a,  a/a) A  b  (a,a/a)A~;  the  result  follows  by  the 
induction  hypothesis  on  (a,  a /a)  and  N. 

-  ^(M;  Sp)  =  [at]-,aSp 

We  are  given  a  proof  of  \k;  A  b  U  that  ends  with  Vr;  the  subderivation  is  Sp,  a  derivation 
of  T:  ®{[t/a\Sp}  b  U.  Furthermore,  we  know  that  A  matches  b){{  [Va:r. /I] }}.  We  need  a 
lemma  that  tells  us  that  a  A  matches  a@§[Va:r.((j,  a/a)bL~]]f;  then,  by  rule  Vr,  it  suffices 
to  show  4/';  a0{[[af/a]((a,  a/a)A~ )]}  b  erf/. 

This  is  the  same  thing  as  dV;  oQ{[a([t/ a]A~)]}  b  aU\  the  result  follows  by  the  induction 
hypothesis  on  a  and  Sp. 

Note  that,  in  the  case  for  Vr,  the  substitution  a  was  applied  to  the  first-order  type  r  as  well 
as  to  the  proposition  A~ .  This  alludes  to  the  fact  that  our  first-order  terms  are  dependently  typed 
(Section  4.1).  □ 


Given  that  we  write  the  constructive  content  of  the  variable  substitution  theorem  as  aE, 
where  E  is  an  expression,  we  can  also  write  Theorem  3.4  as  an  admissible  rule  in  one  of  two 
ways,  both  with  and  without  proof  terms: 


'T'b  cr:tf  ^;Ab£:f/ 
. ¥';aA  Fa^Taf/ . 


varsubst 


4,/  b  a  :  'k  $;Abb 

. W'JaA'rirU . 


varsubst 


We  will  tend  towards  the  expression-annotated  presentations,  such  as  the  one  on  the  left,  in  this 
chapter. 


3.3.5  Focal  substitution 

Both  cut  admissibility  and  identity  expansion  depend  on  the  same  focal  substitution  theorem 
that  was  considered  for  linear  logic  in  Section  2.3.4.  Both  of  these  theorems  use  the  compound 
matching  construct  0§  A  [/„,}},  a  pattern  that  will  also  be  used  in  the  proof  of  cut  admissibility: 
A'  matches  0{{  A  [  /?!/ }}  if  A  \lvl  (which,  again,  is  a  shorthand  way  of  saying  A  matches  A  \lvl)  and 
if  A'  matches  ©([A]}. 

Theorem  3.5  (Focal  substitution). 

*  //T;  A  b  [A+],  T;  0{z:(A+)  Ivl}  b  U, 
and  S  matches  0{{  A  [  M }},  then  T ;  S  b  U 

*  //^;  A  b  (A~)  Ivl,  T;  ©{[A"]}  b  U, 

5  matches  0§A§,  and  U[lvl,  then  f;5b  U 
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Proof.  The  computational  content  of  positive  focal  substitution  is  the  substitution  of  a  value 
V  for  a  variable  z  in  an  expression  E,  written  [V/z\E.  As  an  admissible  rule,  positive  focal 
substitution  is  represented  as  follows: 

$;Ah  V:[A+]  'k;0{z:(A+)  Ivl}  b  E  :  U 

. $;e|A7jh[v^]sri7 .  subst+ 

The  proof  of  positive  focal  substitution  proceeds  by  induction  over  the  derivation  E  containing 
the  suspended  proposition.  In  the  case  where  E  =  z,  the  derivation  z  concludes  by  right  focusing 
on  the  proposition  that  we  have  a  focused  proof  V  of,  so  the  result  we  are  looking  for  is  V. 

The  computational  content  of  negative  focal  substitution  is  the  substitution  of  a  spine  Sp 
out  of  an  expression  E.  Sp  represents  a  continuation,  and  the  expression  E  is  waiting  on  that 
continuation.  As  an  admissible  rule,  negative  focal  substitution  is  represented  as  follows: 

T;Ab  E:(A~)lvl  'k;  0{[A"]}  b  Sp  :  U 
. ^-0|A}' ^'[EjSpTui™ .  subst 

The  proof  of  negative  focal  substitution  proceeds  by  induction  over  the  derivation  E  containing 
the  suspended  proposition.  In  the  case  where  E  =  NIL,  the  derivation  nil  concludes  by  left 
focus  on  the  proposition  that  we  have  a  spine  Sp  for,  so  the  result  we  are  looking  for  is  Sp.  □ 

Pay  attention  to  the  way  compound  matching  constructs  are  being  used.  If  we  separate  the 
substructural  context  out  into  its  persistent,  linear,  and  ordered  constituents,  the  subst+  rule  can 
be  seen  as  effectively  expressing  three  admissible  principles  simultaneously: 

*  If  'k;  T;A;Ob  [A+]  and  T;  T;  A';  flL,  (A+),  flR  b  U,  then  'k;  T;  A,  A';  QL,  f 1,  QR  b  U. 

*  If  T;  A;  •  b  [A+ J  and  T;  A',  {A+ph)-iV  b  U,  then  T;  A,  A';  W  b  U. 

*  If 'T;  T;  ■  b  [A+ers]  and  vk;  T,  <A+rs>;  A';  O'  b  U,  then  vk;  T;  A';  O'  b  U. 

In  negative  focal  substitution,  as  in  the  leftist  substitutions  of  cut  admissibility,  there  is  a  corre¬ 

sponding  use  of  U[lvl  to  capture  that  we  can  use  a  proof  of  (A-)  true  to  discharge  a  hypothesis 
of  [A-]  in  a  proof  of  C  true  or  a  proof  of  C  lax ,  but  that  a  proof  of  (A~[ax)  lax  can  only  discharge 
a  hypothesis  of  [Aja J  in  a  proof  of  C  lax. 

3.4  Cut  admissibility 

It  is  a  little  wordy  to  say  that,  in  a  context  or  succedent,  the  only  judgments  involving  suspensions 
are  ((p+ers)  pers),  (( p+ph )  eph),  ((p+)  ord),  ((p~)  true),  and  ((p~[ax)  lax),  but  this  is  a  critical 
precondition  of  cut  admissibility  property  for  focused  OL3.  We’ll  call  contexts  and  succedents 
with  this  property  suspension-normal. 

Theorem  3.6  (Cut  admissibility).  For  suspension-normal  'k,  A+,  A~,  A,  0,  H,  and  U, 

1.  If  vk ;  A  b  [A+],  'k;  0{A+}  b  U, 

and  S  matches  0{{  A]},  then  $;Bb  U. 

2.  If  vk ;  A  b  A~,  V;  0{[A"]}  b  U,  A  is  stable, 
and  S  matches  0{{  Aj},  then  f;5b  U. 
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3.  Ifx b;  A  b  A+  Ivl,  T;  0{A+}  b  U,  0  and  U  are  stable, 

5  matches  @({A]f,  and  U[lvl,  then  f;Bb  U. 

4.  Ifx b;  A  b  A~ ,  \b;  Q{x:A~  Ivl}  b  U,  A  is  stable, 
and  S  matches  0{{  A  \  lvl }},  then  'bBb  U 

The  four  cases  of  cut  admissibility  (and  their  proof  below)  neatly  codify  an  observation  about  the 
structure  of  cut  admissibility  proofs  made  by  Pfenning  in  his  work  on  structural  cut  elimination 
[PfeOO].  The  first  two  parts  of  Theorem  3.6  are  the  home  of  the  principal  cases  that  decompose 
both  derivations  simultaneously  -  part  1  is  for  positive  cut  formulas  and  part  2  is  for  negative  cut 
formulas.  The  third  part  contains  all  the  left  commutative  cases  that  perform  case  analysis  and 
induction  only  on  the  first  given  derivation,  and  the  fourth  part  contains  all  the  right  commutative 
cases  that  perform  case  analysis  and  induction  only  on  the  second  given  derivation. 

In  Pfenning’s  work  on  structural  cut  elimination,  this  classification  of  cases  was  informal,  but 
the  structure  of  our  cut  admissibility  proofs  actually  isolates  the  principal,  left  commutative,  and 
right  commutative  cases  into  different  parts  of  the  theorem.  This  separation  of  cases  is  the  reason 
why  cut  admissibility  in  a  focused  sequent  calculus  can  use  a  more  refined  induction  metric  than 
cut  admissibility  in  an  unfocused  sequent  calculus.  As  noted  previously  in  the  proof  of  Theo¬ 
rem  2.4,  the  refined  induction  metric  does  away  with  the  precondition,  essential  to  Pfenning’s 
proof  of  structural  cut  admissibility,  that  weakening  and  variable  substitution  preserve  the  size  of 
derivations. 

Before  discussing  the  proof,  it  is  worth  noting  that  this  theorem  statement  is  already  a  sort  of 
victory.  It  is  an  extremely  simple  statement  of  cut  admissibility  for  a  rather  complex  logic. 

3.4.1  Optimizing  the  statement  of  cut  admissibility 

We  will  pick  the  cut  admissibility  proof  from  Chaudhuri’s  dissertation  [Cha06]  as  a  represen¬ 
tative  example  of  existing  work  on  cut  admissibility  in  focused  logics.  His  statement  of  cut 
admissibility  for  linear  logic  has  10  parts,  which  are  sorted  into  five  groups.  In  order  to  extend 
his  proof  structure  to  handle  the  extra  lax  and  mobile  connectives  in  OL3,  we  would  need  a 
dramatically  larger  number  of  cases.  Furthermore,  at  a  computational  level,  Chaudhuri’s  proof 
requires  a  lot  of  code  duplication  -  that  is,  the  proof  of  two  different  parts  will  frequently  each 
require  a  case  that  looks  essentially  the  same  in  both  parts. 

The  structural  focalization  development  in  this  chapter  gives  a  compact  proof  of  the  com¬ 
pleteness  of  focusing  that  is  entirely  free  of  code  duplication.  A  great  deal  of  simplification  is 
due  to  the  use  of  the  matching  constructs  0§AfM^  and  U[lvl.  Without  that  notation,  part  3 
would  split  into  two  parts  for  true  and  lax  and  part  4  would  split  into  three  parts  for  ord,  eph, 
and  pers.  The  fifth  part  of  the  cut  admissibility  theorem  in  Section  2.3.6  (Theorem  2.4),  which 
is  computationally  a  near-duplicate  of  the  fourth  part  of  the  same  theorem,  is  due  to  the  lack  of 
this  device. 

Further  simplification  is  due  to  defining  right-focused,  inverting,  and  left-focused  sequents  as 
refinements  of  general  sequents  \b;  A  b  U.  Without  this  approach,  the  statement  of  part  3  must 
be  split  into  two  parts  (for  substituting  into  terms  and  spines)  and  the  statement  of  part  4  must 
be  split  into  three  parts  (for  substituting  into  values,  terms,  and  spines).  Without  either  of  the 
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aforementioned  simplifications,  we  would  have  15  parts  in  the  statement  of  Theorem  3.6  instead 
of  four  and  twice  as  many  cases  that  needed  to  be  written  down  and  checked. 

Picking  a  fixed  inversion  strategy  prevents  us  from  having  to  prove  the  tedious,  quadratically 
large  confluence  theorem  discussed  for  linear  logic  in  Section  2.3.8.  This  confluence  theorem 
is  certainly  true,  and  we  might  want  to  prove  it  for  any  number  of  reasons,  but  it  is  interesting 
that  we  can  avoid  it  altogether  in  our  current  development.  A  final  improvement  in  our  theorem 
statement  is  very  subtle:  insofar  as  our  goal  is  to  give  a  short  proof  of  the  completeness  of 
focusing  that  avoids  redundancy,  the  particular  fixed  inversion  strategy  we  choose  matters.  The 
proof  of  Theorem  2.4  duplicates  many  right  commutative  cases  in  both  part  1  and  part  4  (which 
map  directly  onto  parts  1  and  4  of  Theorem  3.6  above).  Our  system  prioritizes  the  inversion  of 
positive  formulas  on  the  left  over  the  inversion  of  negative  formulas  on  the  right.  If  we  made 
the  opposite  choice,  as  Chaudhuri’s  system  does,  then  this  issue  would  remain,  resulting  in  code 
duplication.  We  get  a  lot  of  mileage  out  of  the  fact  that  if  S  =  @{A+}  then  A+  unambiguously 
refers  to  the  left-most  proposition  in  H,  and  this  invariant  would  no  longer  be  possible  to  maintain 
in  the  proof  of  cut  admissibility  if  we  prioritized  inversion  of  negative  propositions  on  the  right. 


3.4.2  Proof  of  cut  admissibility,  Theorem  3.6 

The  proof  proceeds  by  lexicographic  induction.  In  parts  1  and  2,  the  type  gets  smaller  in  every 
call  to  the  induction  hypothesis.  In  part  3,  the  induction  hypothesis  is  only  ever  invoked  on  the 
same  type  A+,  and  every  invocation  of  the  induction  hypothesis  is  either  to  part  1  (smaller  part 
number)  or  to  part  3  (same  part  number,  first  derivation  is  smaller).  Similarly,  in  part  4,  the 
induction  hypothesis  is  only  invoked  at  the  same  type  A~,  and  every  invocation  of  the  induc¬ 
tion  hypothesis  is  either  to  part  2  (smaller  part  number)  or  to  part  4  (same  part  number,  second 
derivation  is  smaller). 

The  remainder  of  this  section  will  cover  each  of  the  four  parts  of  this  proof  in  turn.  Most  of  the 
theorem  will  be  presented  at  the  level  of  proof  terms,  but  for  representative  cases  we  will  discuss 
what  the  manipulation  of  proof  terms  means  in  terms  of  sequents  and  matching  constructs.  The 
computational  content  of  parts  1  and  2  is  principal  substitution ,  written  as  ( V  o  N)A  and  (N  o 
Sp)A~  respectively,  the  computational  content  of  part  3  is  leftist  substitution,  written  as  {E}A+  N, 
and  the  computational  content  of  part  4  is  rightist  substitution,  written  as  \M/x\A~  E. 

In  many  cases,  we  discuss  the  necessity  of  constructing  certain  contexts  or  frames;  in  gen¬ 
eral,  we  will  state  the  necessary  properties  of  these  constructions  without  detailing  the  relatively 
straightforward  process  of  constructing  them. 


Positive  principal  substitution 

Positive  principal  substitution  encompasses  half  the  principal  cuts  from  Pfenning’s  structural 
cut  admissibility  proof  -  the  principal  cuts  where  the  principal  cut  formula  is  positive.  The 
constructive  content  of  this  part  is  a  function  ( V  o  N)A+  that  normalizes  a  value  against  a  term. 
Induction  is  on  the  structure  of  the  positive  type.  The  admissible  rule  associated  with  principal 
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positive  substitution  is  cut+. 

ty;AhV  :[A+]  V ;Q{A+}\-N:U 

.  f'llj’' 

'k;  ©fA}  b  (V  o  N)a+  :  U 

We  have  to  be  careful,  especially  in  the  positive  principal  substitution  associated  with  the  type 
A+  •  B+,  to  maintain  the  invariant  that,  in  an  unstable  context,  we  only  ever  consider  the  leftmost 
inverting  positive  proposition. 

In  most  of  these  cases,  one  of  the  givens  is  that  ©{A+}  matches  ©'-{{A"1"]}  for  some  ©'. 
Because  this  implies  that  ©  =  ©',  we  take  the  equality  for  granted  rather  than  mentioning  and 
reasoning  explicitly  about  the  premise  every  time. 

-  (zo(z,).N1)Pii  =  [z/ z'}N i 

We  must  show  'k ;  5  b  U,  where 

■  A  matches  z:(pAvl), 

■  Ax  is  a  derivation  of  'k;  &{z>:{pAvl)  Ivl }  b  U, 

■  and  H  matches  ©{{A}}. 

Because  A  is  suspension-normal,  we  can  derive  \k;  A  b  \pAvl\  by  id+,  and  S  matches 
©§A  \MJ.  Therefore,  the  result  follows  by  focal  substitution  on  z  and  A). 

-  =  {M/x\A'Nl 

-  (\Mo 

-  (\M  o  \x.Ni)[A~  =  {M/xY'Nx 
We  must  show  \k ;  S  b  U,  where 

■  A  matches  A  ( ,  M  is  derivation  of  T:  A  h  /b, 

■  Ni  is  a  derivation  of  'k;  Q{x:A~  pers}  b  U, 

■  and  H  matches  ©{{A}}. 

H  matches  0{{A  [pers}}  and  A  is  stable  (it  was  in  a  focused  sequent  'k;  A  b  \M  :  [!A-]),  so 
the  result  follows  by  part  4  of  cut  admissibility  on  A]  and  M. 

-  (()  O  Q.Ai)1  =  Ni 

-  ((^i  •  V^2)  o  =  (V2  o  {Vx  o  N,)a+)b+ 

We  must  show  f;5b  U,  where 

■  A  matches  Ai,  A2, 

Vj  is  a  derivation  of  'k;  Ai  b  [A+],  V2  is  a  derivation  of  'k;  A2  b  [ B+ ], 

■  Ai  is  a  derivation  of  'k;  ©{bL+,  B+}  b  U, 

■  and  H  matches  ©{[A]}. 

We  can  to  construct  a  frame  0B  such  that  0{A+,  B+}  =  ©B{A+};  we’re  just  exchanging 
the  part  in  the  frame  with  the  part  not  in  the  frame.  We  can  also  construct  a  second  frame, 
©a,  such  that  1)  S  matches  ©A§A2]f  and  2)  ©a{-B+}  matches  ©sj{Ai}}. 

Because  ©a{-B+}  matches  ©s^Ax ]f,  by  the  induction  hypothesis  on  Vj  and  Ax  we  have 
(Vj  o  Ai)a+,  a  derivation  of  'k;  ©a{-B+}  b  U . 
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Because  S  matches  ©^  A2  ]f,  by  the  induction  hypothesis  on  V2  and  (Vi  o  Ar1)j4+,  we  have 
a  derivation  of  'h ;  5  b  U  as  required. 

-  (inl(Vi)  O  [Nh  N2\)a+®b+  =  (Vi  o  N2)a+ 

-  (iNR(y2)  o  [iy1;iv2])A+®B+  =  (v2o  N2)B+ 

-  (t,  V\  O  a.N 1)^-A+  =  {yx  o  [t/alNjW^ 

We  must  show  f;5h  U,  where 

■  \P  b  t  :  r,  V\  is  a  derivation  of  Tq  A  b  [[t/a]A+], 

■  Nx  is  a  derivation  of  'h,  a:r;  0{A+}  b  U, 

■  and  S  matches  ©{[A]}. 

By  variable  substitution  on  [t/a]  and  Ni,  we  have  a  derivation  [t/a\Ni  of  'P;  Q{[t/a]A+}  b 
U.  We  count  [t/a]A+  as  being  a  smaller  formula  than  3 a:r.A+,  so  by  the  induction  hy¬ 
pothesis  on  V\  and  [t/a\Ni,  we  get  a  derivation  of  ;  E  b  U  as  required. 

-  (refl  o  unif  (fn  a  =>  (j)(a)))tM  =  0(id) 

We  must  show  *P ;  5  b  U,  where 

■  A  matches  •, 

■  0  is  a  function  from  substitutions  'P7  b  a  :  T  that  unify  t  and  t  to  derivations  of 
*;©{•}  b  U, 

■  and  H  matches  0{{A}}. 

We  simply  apply  the  identity  substitution  to  0  to  obtain  a  derivation  of  T;  ©{ - }  b  U.  Note 
that  this  is  not  quite  the  derivation  of  'P;  S  b  U  that  we  need;  we  need  an  exchange-like 
lemma  that,  given  a  derivation  of  'P;  ©{•}  b  U  and  the  fact  that  S  matches  O  {{ • }} ,  we  can 
get  a  proof  of  'k;  5  b  U  as  we  require. 

Negative  principal  substitution 

Negative  principal  substitution  encompass  all  the  principal  cuts  from  Pfenning’s  structural  cut 
admissibility  proof  for  which  the  principal  formula  is  negative.  The  constructive  content  of  this 
part  is  a  function  (N  o  Sp)A  that  normalizes  a  term  against  a  spine;  a  similar  function  appears 
as  hereditary  reduction  in  presentations  of  hereditary  substitution  for  LF  [WCPW02].  Induction 
is  on  the  structure  of  the  negative  type.  The  admissible  rule  associated  with  negative  principal 
substitution  is  cut~: 

$;Ab  N:A~  'P;  0{[A"]}  b  Sp  :  U  AstableL 

.  cvt 

'P;  0{[A}f  b  (TV  o  Sp)A~  :  U 


-  ((N)  o  NIF)pw  =  N 

We  must  show  'P ;  5  b  U,  where 

■  N  is  a  derivation  of  'P;  A  b  {pM)  Ivl 

■  ®{[Pm}}  matches  \pjvl\,  U  =  {pM)  Ivl', 
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■  and  S  matches  0{{A}}. 

Because  U  is  suspension-normal,  Ivl  =  Ivl' .  A  derivation  of  'h;  A  h  (pjvl)  Ivl  is  not  quite  a 
proof  of  \k;  S  b  U,  so  we  need  an  exchange-like  lemma  that  we  can  get  one  from  the  other. 

-  (tWo  |M)tA+  =  [ NJa+M 

-  ({A}  o  {M})oA+  =  [A]a+M 
We  must  show  \k ;  H  h  U,  where 

■A  is  a  derivation  of  \k;  A  h  A+  lax, 

■  0{oA+}  matches  ©'{{oA+}},  U[lax,  ©'  and  U  are  stable,  M  is  a  derivation  of 

@'{A+}  h  U, 

■  and  S  matches  0{{A}}. 

S  matches  ©'-{[  A]},  so  the  result  follows  by  part  3  of  cut  admissibility  on  A  and  M. 

-  ((A <A)  o  (V<Sp))A+^B~  =  ((V  o  N)a+  o  Sp)B~ 

-  ((A >N)  o  (V>Sp))A+^B~  =  ((V  o  N)a+  o  Sp)B~ 

We  must  show  h  U,  where 

•  N  is  a  derivation  of  'k;  A,  A+  h  B~ ,  A  is  stable  (by  the  fixed  inversion  invariant  - 

we  only  invert  on  the  right  when  there  is  no  further  inversion  to  do  on  the  left), 

■  @{[A+  -»  B~]}  matches  0'§[A+  -»  B~],AaJ,  V  is  a  derivation  of  \k;  A^  h  [ A+ ], 
Sp  is  a  derivation  of  'k;  ©'{  [-B  ] }  h  U, 

■  and  S  matches  0{{A}}. 

We  can  simultaneously  view  the  construction  A,  A+  as  a  frame  ©a  such  that  @a{A+}  = 
A,  A+.  Note  that  this  is  only  possible  to  do  because  A  is  stable;  if  there  were  a  non¬ 
stable  proposition  in  A,  the  fixed  inversion  invariant  would  not  permit  us  to  frame  off  the 
right-most  proposition  A+. 

We  next  construct  a  context  A'a  that  matches  ©a^A^^  (and  also  A,  Aa  viewed  as  a 
matching  construct),  while  simultaneously  S  matches  ©'  {{ A^ }} . 

By  the  part  1  of  cut  admissibility  on  V  and  N,  we  have  (V  o  N)A+ ,  a  derivation  of  'k;  A'a  h 
B~,  and  the  result  then  follows  by  the  induction  hypothesis  on  (V  o  N)A+  and  Sp. 

-  ((Ni  &  N2)  o  (tti;  Sp))A~&B~  =  (Ax  o  Sp)A~ 

-  ((A,  &  A2)  o  (tt2;  Sp))A~&B~  =  (A2  o  Sp)A~ 

-  (([a]. A)  o  ([f];  Sp)Ya:T'A  =  ([£/a]A  o  Sp)^^a^A 


Leftist  substitution 

In  focal  substitution,  the  positive  case  corresponds  to  our  usual  intuitions  about  substitution  and 
the  negative  case  is  strange.  In  cut  admissibility,  the  situation  is  reversed:  rightist  substitutions 
(considered  in  Section  3.4.2  below),  associated  with  negative  principal  cut  formals,  look  like 
normal  substitutions,  and  the  leftist  substitutions,  considered  here,  are  strange,  as  they  break 
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apart  the  expression  that  proves  A+  rather  than  the  term  where  A+  appears  in  the  context. 

Leftist  substitutions  encompass  all  the  left  commutative  cuts  from  Pfenning’s  structural  cut 
admissibility  proof.  The  constructive  content  of  leftist  substitution  is  a  function  [77]  M;  we 
say  we  are  substituting  M  out  of  E.  Induction  is  on  the  first  subterm,  as  we  crawl  through  E 
looking  for  places  where  focus  takes  place  on  the  right.  The  admissible  rule  associated  with 
leftist  substitution  is  lent: 

'k;  A  h  E:A+  Ivl  'k;  0{A+}  h  M  :  U  0  stableL  U  stableR 

. 

^;0§A}}  h  \E\a+M  :  U[lvl 

Except  for  the  case  where  the  first  given  derivation  ends  in  the  rule  focus R,  every  case  of  this 
theorem  involves  a  left  rule.  The  general  pattern  for  these  cases  is  that  5  matches  0{{  A]}  and 
A  matches  0Bf[x:T  ord }} .  0  and  0  B  have  the  same  persistent  variables  but  distinct  ephemeral 
and  ordered  variables,  and  we  must  construct  a  frame  0o0B  that  is  effectively  the  composition 
of  0  and  Ob-  In  cases  that  we  discuss  in  detail,  necessary  properties  of  this  composition  frame 
are  stated  but  not  proven. 

Substitution  out  of  terms 

-  \V\a+M  =  (Vo  M)a+ 

We  must  show  'k ;  S  h  U,  where 

■  V  is  a  derivation  of  ;  A  h  [A+], 

'  M  is  a  derivation  of  'k;  @{A+}  h  U, 

■  E  matches  0j[A]f,  and  U[lvl 

The  result  follows  from  part  1  of  cut  admissibility  on  V  and  M. 

-  [a:  •  Sp\A+  M  =  x  ■  ({Sp}A+ M) 

We  must  show  \k ;  S  h  U,  where 

■  A  matches  Ob^x:B~J,  Sp  is  a  derivation  of  T;  0b{[B-]}  h  A+  Ivl, 

•  M  is  a  derivation  of  'k;  0{A+}  h  U, 

■  E  matches  0§ A},  and  U[lvl. 

5  matches  (0o0B)^a;:f?~}}  and  (0o0s){[f?-]}  matches  By  the  induc¬ 

tion  hypothesis  on  Sp  and  M  we  have  'k;  (0o0B){[5~]}  (-  U,  and  the  required  result  then 

follows  from  rule  focus L. 

-  1(z).N}a+M=(z).(IN}a+M) 

-  Ux.N}A+M  =  lx.{lN}A+M) 

-  [j x.N}a+M  =  j x.(lNjA+M) 

-  \\x.N\a+M  =  \x.(IN}a+M) 

We  must  show  \k ;  S  h  U,  where 

■  A  matches  ©b§!5”}},  A  is  a  derivation  of  \k;  Ob{x\B~  pers}  h  A+  Ivl, 

'  M  is  a  derivation  of  <k;  @{A+}  h  U, 
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■  S  matches  0{{A}},  mdU[lvl. 

We  can  construct  a  0'  such  that  @'{bl+}  =  (0{bL+},  x:B~  pers ).  By  admissible  weaken¬ 
ing,  M  is  a  derivation  of  'k;  07{bL+}  b  U,  too. 

S  matches  (0o0B){{!5-}}  and  (0o Qb){x:B~  pers}  matches  0/{{0s{^:5~  pers}J.  By 
the  induction  hypothesis  on  N  and  M  we  have  \k;  (0o Qb){x\B~  pers}  b  U,  and  the 
required  result  then  follows  from  rule  \L. 

-  i*n}a+m  =  •( \n\a+m ) 

-  [abort] a+M  =  ABORT 

-  l[NllN2]jA+M=[(lN1jA+M),(lN2jA+M)} 

-  la.N}A+ M  =  a.(lN}A+ M) 

We  must  show  U,  where 

■  A  matches  0B§3a:r.i?+}},  N  is  a  derivation  of  'k,a:r;  Qb{B+}  b  A+, 

•  M  is  a  derivation  of  'k;  0{A+}  b  U, 

■  E  matches  0{{A}},  and  U[lvl. 

H  matches  (0o0s)§3a:r.i?+}}  and  (0o0s){£?+}  matches  0§0B{5+}}}.  By  variable 
weakening,  M  is  also  a  derivation  of  \k,  a:r;  0{bL+}  b  U,  so  by  the  induction  hypothesis 
on  N  and  M  we  have  \k,  a:r;  (0o0  B){  B+}  (-  U ,  and  the  required  result  then  follows  from 
rule  3l. 

-  [UNIF  (fn  a  =>-  0(a))] a+  M  =  UNIF  (fn  a  =>■  [0(a)]CTA+  (aM)) 

We  must  show  U,  where 

■  A  matches  =  s]},  0  is  a  function  from  substitutions  'k7  b  a  :  'k  that  unify  t 

and  s  to  derivations  of  'k7;  a0s{-}  b  aA+, 

■  M  is  a  derivation  of  'k;  0{bL+}  b  U, 

■  5  matches  0f  A},  mdU[lvl. 

S  matches  (0o0B){{f  =  s]f,  and  for  any  substitution  a,  aU[lvl  and  a(0o0B){-}  matches 
a0-{[a@B{-}}}.  By  rule  =L,  it  suffices  to  show  that,  given  an  arbitrary  substitution  'k7  b 
cr  :  fi/,  there  is  a  derivation  of  'k7;  a(@o@B){-}  b  aU. 

By  applying  a  to  0,  we  get  0(a),  a  derivation  of  'k7;  a0B{-}  b  aA+.  We  treat  aA+  as 
having  the  same  size  as  A+,  and  the  usual  interpretation  of  higher-order  derivations  is  that 
0(a)  is  a  subderivation  of  0,  so  0(a)  can  be  used  to  invoke  the  induction  hypothesis.  From 
variable  substitution,  we  get  aM,  a  derivation  of  'k7;  a0{a/l+  }  b  aU,  and  then  the  result 
follows  by  the  induction  hypothesis  on  0(a)  and  aM. 


Substitution  out  of  spines 

-  [{JV}p+M  =  {[AT+M} 

We  must  show  \k ;  5  b  U,  where 
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■  A  matches  0Bj[O-B+]f,  ( A+  lvl)  [ lax , 

A  is  a  derivation  of  T;  0B{bl+}  b  Ua 

•  M  is  a  derivation  of  'b;  0{A+}  b  U, 

■  E  matches  0§A§,  and  U'  matches  U[lvl . 

Because  (A+  lvl )  [lax  and  U  [lvl,  we  can  conclude  that  U  [lax. 

S  matches  (0o0s){{O-B+}}  and  (0o0s){£?+}  matches  0{{0b{-B+}^.  By  the  induction 
hypothesis  on  N  and  M  we  have  T;  (0o0B){T>  +  }  b  U,  and  the  result  follows  by  rule  O  L- 

-  lV<Sp}A+M  =  V<(lSpjA+M ) 

-  lV>Sp}A+M  =  V>dSp\A+M ) 

We  must  show  U,  where 

■  A  matches  -»  B^],  AB}},  V  is  a  derivation  of  'h;  AB  b  [Bf], 

Sp  is  a  derivation  of  'b;  ©b{[-B^]}  b  A+  lvl, 

•  M  is  a  derivation  of  'b;  0{bL+}  b  U, 

■  S  matches  0{{A},  and  U[M. 

E  matches  (0o0B)§[i?+  -»  5“],  As]}  and  (0°0_b){[-B^]}  matches  0{{0b{[-B^]}5-.  By 
invoking  the  induction  hypothesis  to  substitute  M  out  of  Sp,  we  have  [5p]yl+M,  which  is 
a  derivation  of  'lb  (0°0/b{|/ib]  }  b  U.  The  required  result  follows  by  rule  on  V  and 

[  SpjA+M. 

-  [tti;  SpJA+M  =  tti;  ( {SpjA+M ) 

-  [^2;  SpjA+  M  =  vr2;  (lSp}A+  M) 

-  lit}-,  Sp}A+ M  =  [t]-,  (mA+ M) 

Rightist  substitution 

Rightist  substitutions  encompass  all  the  right  commutative  cuts  from  Pfenning’s  structural  cut 
admissibility  proof.  The  constructive  content  of  this  part  is  a  function  [M/a;]71  E;  we  say  we 
are  substituting  M  into  E.  Induction  is  on  the  second  subterm,  as  we  crawl  through  E  looking 
for  places  where  x  is  mentioned.  The  admissible  rule  associated  with  rightist  substitution  is  rcut: 

f;Ab  M  :  A~  ^;Q{x:A-  lvl}\~  E  :U  A  stableL 

.  'TQ'llf, 

$;0{Ayb[M/rf£;:[/ 

A  unique  aspect  of  the  right  commutative  cuts  is  that  the  implicit  bookkeeping  on  contexts 
matters  to  the  computational  behavior  of  the  proof:  when  we  deal  with  multiplicative  connectives 
like  A+  •B+  and  A+  >— >  B+  under  focus,  we  actually  must  consider  that  the  variable  x  that  we’re 
substituting  for  can  end  up  in  only  one  specific  branch  of  the  proof  (if  x  is  associated  with  a 
judgment  A~  ord  or  A~  eph )  or  in  both  branches  of  the  proof  (if  x  is  associated  with  a  judgment 
x:A~  pers ).  The  computational  representation  of  these  cases  looks  nondetermini  Stic,  but  it  is 
actually  determined  by  the  annotations  and  bookkeeping  that  we  don’t  write  down  as  part  of  the 
proof  term.  This  is  a  point  that  we  return  to  in  Section  3.8. 
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For  cases  involving  left  rules,  the  general  pattern  is  that  S  matches  0([A  \lvl}}  and  the  action 
of  the  left  rule,  when  we  read  it  bottom-up,  is  observe  that  Q{x:A~  Ivl}  matches  (-)' {{y:T  orda¬ 
in  its  conclusion  and  constructs  (-)' {{y:T'  Ivl'}}  in  its  premise(s).  Effectively,  we  need  to  abstract 
a  two- hole  function  (call  it  T)  from  5.  One  hole  -  the  place  where  x  is  -  is  defined  by  the 
frame  0:  morally,  0  =  AAs.T(a;:Al_  lvl)(AB).  The  other  hole  -  the  place  where  y  is  -  is 
defined  by  0':  morally,  O'  =  XAA.Y(AA)(y:T  ord ).  However,  we  cannot  directly  represent 
these  functions  due  to  the  need  to  operate  around  matching  constructs.  Instead,  we  construct 
©a  to  represent  the  frame  that  is  morally  AAb.T(A)(Ab),  and  0^'  to  represent  the  frame  that  is 
morally  XAA.T(AA)(y.T'  Ivl').  As  before,  in  cases  that  we  discuss  in  detail,  necessary  properties 
of  these  two  frames  are  stated  but  not  proven. 


Substitution  into  values 

-  [M/a;]"4  z  =  z 

-  IM/x}a-(IN)=UIM/x}a~N) 

-  IM/x^-^N)  =  | (lM/xjA~N) 

-  [ M/x\a~(\N)  =  \(\M/x\a~N ) 

We  must  show  h  [!£>“],  where 

■  M  is  a  derivation  of  'F;  A  b  A~, 

■  Q{x:A~  Ivl}  matches  A'  \pers,  A  is  a  derivation  of  'F;  A'  b  B~ , 

■  and  5  matches  ©{{A^J. 

Because  Q{x:A~  Ivl}  matches  A'  \pers  and  H  matches  0{{A  [M]},  we  can  conclude  that 
there  exists  a  0'  such  that  A'  =  Q'{x:A~  Ivl}  and  also  that  H  matches  . 

By  the  induction  hypothesis  on  M  and  N,  we  have  a  derivation  of  'F;  5  h  B~,  and  the 
result  follows  by  rule  !r. 


-  lM/xjA~  ()  =  () 

We  must  show  \F;  H  h  [1],  where 
•  M  is  a  derivation  of  <F;  A  h  A~, 

■  Q{x:A~  Ivl}  matches  •, 

■  and  5  matches  0{{A  \lvl]}. 

Because  Q{x:A~  Ivl}  matches  •,  it  must  be  the  case  that  Ivl  =  pers,  and  so  H  matches  •  as 
well.  The  result  follows  by  rule  1 R. 

-  IM/x}a~{V1*V2)  = 

([M/a;]"4  V\)  •  V2  (if  x  is  in  V\ ’s  context  but  not  V2’s) 

V\  •  ([M/a;]"4  V2)  (if  x  is  in  V2 ’s  context  but  not  V\ ’s) 

([M/a;]"4  Vi )  •  ([M/a;]"4  V2)  (if  x  is  in  both  V\  and  V2’s  contexts) 

We  must  show  'F;  H  h  [ B A  •  B^},  where 

■  M  is  a  derivation  of  T;  A  h  A~, 
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■  ©{x:bl  Ivl}  matches  Ai,  A2,  V\  is  a  derivation  of  'k;  Ai  b  Bf, 

V2  is  a  derivation  of \k;  A2  b  Bf , 

■  and  S  matches  B{{  A  [  }}. 

There  are  three  possibilities:  either  x  is  a  variable  declaration  in  Ax  or  A2  but  not  both  (if 
Ivl  is  eph  or  ord)  or  2;  is  a  variable  declaration  in  both  Ax  and  A2  (if  Ivl  is  pers ). 

The  first  two  cases  are  symmetric;  assume  without  loss  of  generality  that  x  is  a  variable 
declaration  in  Ai  but  not  A2;  we  can  construct  a  ©x  and  A'x  such  that  ©x{x:bl~  Ivl}  =  A1? 
A }  matches  ©  1  {{ A]  \M}},  and  S  matches  A'1;  A2  By  the  induction  hypothesis  on  M  and 
Vi,  we  have  \M /x\A~V\ ,  a  derivation  of  \k;  A\  b  | /if],  and  the  result  follows  by  rule  »R 
on  [M/x]"4  V\  and  V2. 

The  third  case  is  similar;  we  construct  a  @l5  A'l5  ©2,  and  A2  such  that  ©x {a;: ^4  Ivl }  =  Ax, 
©2{x:bL~  Ivl}  =  A2,  A}  matches  0i§Ai(m^,  A2  matches  ©i{{A2|'mJ,  and  S  matches 
A'x,  A2,  which  is  only  possible  because  Ivl  =  pers ;  we  then  invoke  the  induction  hypothe¬ 
sis  twice. 

-  [M/o;]a"(inl(1/))  =  inl (\M/x\A~V) 

-  |M/x]a"(inr(1/))  =  iNR([[M/2;]A“y) 

-  lM/x}A-(t,V)=t,(lM/x}A~V) 

-  [M/a;]A~REFL  =  REFL 

Substitution  into  terms 

-  \M/x\A~V  =  \M/x\a~V 

-  W/xj A~(y  ■  Sp)  =  y-  ({M/x}a~ Sp)  (x#y) 

-  [M/x]A  ( x  ■  Sp)  = 

(M  o  Sp)A  (ifx  is  not  in  Sp ’s  context) 

(M  o  (|M/x]a  Sp))A  (ifx  is  in  Sp’s  context) 

We  must  show  4/ ;  5  b  U,  where 

■  M  is  a  derivation  of  \k;  A  b  A~ , 

■  ©{x:A^  Ivl}  matches  ©'({:c:bl_]f,  Sp  is  a  derivation  of  T;  ©'{[bL~]}  b  U, 

■  and  S  matches  ©{{  A  [  }}. 

If  Ivl  is  eph  or  ord,  then  E  matches  ©'{[  A and  the  result  follows  by  part  1  of  cut  admis¬ 
sibility  on  M  and  Sp. 

If  Ivl  is  pers,  E  doesn’t  match  ©'([A]},  as  ©'  has  an  extra  variable  declaration  x\A~  pers. 
Instead,  we  know  ©{[A-]}  matches  ©  [A-]§AtperJ  and  Q[a-]{x:A  pers}  =  ©'{[A  ]}, 
so  Sp  is  also  a  derivation  of  'k;  pers}  b  U .  By  the  induction  hypothesis  on  M 

and  Sp,  we  have  [M/x]A  Sp,  a  derivation  of  \k;  ©{[A-]}  b  U.  Then,  because  S  matches 
©({A ]f,  the  result  follows  from  part  1  of  cut  admissibility  on  M  and  [M/x]A  Sp. 

-  \M/x\a~({z).N )  =  {z).(\M/x\A~ N) 

-  lM/xjA~(N)  =  ([ M/x\a~N) 
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lM/x}A-{ly.N)=ly.{lM/x}A~N) 
lM/xjA-(iy.N)  =  ]y.(lM/xjA-N) 

\M/x\A~(\y.N)  =  \y.(\M/xlA~  N) 

We  must  show  ;  S  h  U,  where 

•  M  is  a  derivation  of  '5;  A  h  A~, 

■  ©{x:A~  Ivl}  matches  A  is  a  derivation  of  \k;  Q'{y:B~  pers }  h  U, 

■  and  S  matches  0{{A[M]}. 

Let  A'  =  A,  y:B~  pers.  By  admissible  weakening,  M  is  derivation  of  \k;  A7  t~  A~  too. 

S  matches  @a{{!-B-}},  ©a {y:B~  pers}  matches  0S--^A'|'W^,  and  QB-{x:A~  Ivlj  = 
0'{y:B~  pers}.  By  the  induction  hypothesis  on  M  and  N  we  have  'k;  ©a {y-B~  pers}  t~ 
U,  and  the  result  follows  by  rule  \L. 

lM/x}A-(tN)=tm/xjA~N) 

[  M/x\a~{N}  =  {[  M/x\a~N} 

IM/x}a~»N  =  •{\M/x\A~N) 

IM/x\a~\<N  =  \<(IM/x}a~N ) 

\M/x\a'\  >N  =  A  >{{M/xjA~N) 

\M/x\A~  ABORT  =  ABORT 

lM/x}A~[NuN2]  =  [IM/x}a~NuIM/x}a~N2] 

We  must  show  'k ;  S  h  U,  where 

•  M  is  a  derivation  of  'k;  A  h  A~, 

■  ©{x:A_  Ivl}  matches  ©'{[£?{"  ©  B%  }},  Ni  is  a  derivation  of  'k;  Q'{B}~ }h!7, 

N2  is  a  derivation  of  \k;  ©'{iLf }\~U, 

■  and  H  matches  Q {{A (A}} • 

5  matches  ©a{[-Bi~  ©  B^J,  and  for  i  e  {1,2},  0A{-B+}  matches  ©S+§A fpers5-  and 
Qb+{x:A-  Ivl}  =  Q'{B+}. 

By  the  induction  hypothesis  on  M  and  N\,  we  have  'k;  ©a {Bf }  h  U,  by  the  induction 
hypothesis  on  M  and  N2,  we  have  \k;  ©a{/j{ }  b  U ,  and  the  result  follows  by  rule  ©L- 

[M/a:]A"T  =  T 

\M/x ]a"(A!  &  N2)  =  (\M / x\A~ N\)  &  {{M/xJA~N2 ) 

[M /x\A~  a.  N  =  a.{\M/x\A~  N) 

{M/xjA~[a].N  =  [a].(lM/x\A~N) 

[M/a:]A  UNIF  (fn  a  =>•  0(er))  =  UNIF  (fn  a  =>-  [crM/a:]"4  0(cr)) 

We  must  show  'k ;  S  b  U,  where 

■  M  is  a  derivation  of  4b  A  b  A~, 

■  ©{x:A_  Ivl}  matches  ©'{{f  =  s]f,  0  is  a  function  from  substitutions  \k7  b  a  :  'k  that 
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unify  t  and  s  to  derivations  of  \k';  a©'!-}  h  all. 

■  and  S  matches  0{{A  ^  J. 

S  matches  ©a]/  =  s]f,  and  for  any  substitution  a,  <t©a{-}  matches  <70-{[A  (M]f.  By  rule 
=L,  it  suffices  to  show  that,  given  an  arbitrary  substitution  \k'  h  a  :  \k,  there  is  a  derivation 
of  T';ct0a{-}  h  aU. 

By  applying  a  to  </>,  we  get  f(a),  a  derivation  of  'k/;  a0B{-}  h  aA+;  the  usual  interpre¬ 
tation  of  higher-order  derivations  is  that  (f>(a)  is  a  subderivation  of  </>,  so  0(a)  can  be  used 
to  invoke  the  induction  hypothesis.  From  variable  substitution,  we  get  aM,  a  derivation  of 
'k';  a  A  h  aA~  Ivl,  and  the  result  follows  by  the  induction  hypothesis  on  aM  and  0(cr). 


Substitution  into  spines 

-  \M/x\A~ NIL  =  NIL 

-  lM/xjA-(W=UlM/xjA~N) 

-  \M/x\a~{N}  =  {\M/x\a~N} 

-  \M  /  x\A~  V<  Sp  = 

\lM/x\A~V)<Sp 

V<(lM/x\A~Sp) 

( {M/x\ A~  V) <  ( fM/xf A~  Sp) 

-  lM/x}A~V>Sp  = 

([. M/xJA~V)>Sp 
V>dM/x\A~  Sp) 

( [M/a;]  A~V)>(  \M/x\ A~  Sp) 

We  must  show  h  \/x\t.B~,  where 

■  M  is  a  derivation  of  T;  A  b  A~, 

■  Q{x:A~  Ivl}  matches  ©'{[[f?^  -» 
Sp  is  a  derivation  of  \k;  ©'{[-B^]} 

■  and  H  matches  0{[  A  [ 


(if  x  is  in  V ’s  context  but  not  Sp ’s) 
(ifx  is  in  Sp ’s  context  but  not  V’s) 
(ifx  is  in  both  V  and  Sp’s  contexts ) 

(ifx  is  in  V  ’s  context  but  not  Sp ’s) 
(ifx  is  in  Sp ’s  context  but  not  V’s ) 
(ifx  is  in  both  V  and  Sp ’s  contexts ) 


'2  ],  A^  J,  V  is  a  derivation  of  \k;  A^  b  [Bf], 
U, 


There  are  three  possibilities:  either  a;  is  a  variable  declaration  in  0'  or  Ayl  but  not  both  (if 
Ivl  is  eph  or  ord)  or  x  is  a  variable  declaration  in  both  0'  and  A^  (if  Ivl  is  pers). 

In  the  first  case  (x  is  a  variable  declaration  in  A^  only),  S  matches  ©'-{{[£?/'  -»  Bf],  A'a}}, 
A'a  matches  0 ^  {{A  (M}},  and  A^  =  Qa{x:A~  Ivl}.  By  the  induction  hypothesis  on  M 
and  V  we  have  /:tf  71  V,  a  derivation  of  \k;  A',  b  \Bf  1,  and  the  result  follows  by  rule 
— » x  on  \M/x\a~ V  and  Sp. 

In  the  second  case  (x  is  in  0'  only),  H  matches  ©a^I-B^  -»  Bf],  A AJ,  ©a{[-B^]}  matches 
0[/?y] {{A  \ivi}s  and  0^B-^{x:lvl}  =  ©'{[B^]}.  By  the  induction  hypothesis  on  M  and  Sp, 

we  have  [M/a;]A  Sp,  a  derivation  of  'k;  ©a{[5^]}  b  U,  and  the  result  follows  by  rule 
on  V  and  [M/x]A  Sp. 

In  the  third  case  (x  is  in  0'  and  Aa),  S  matches  ©a  {{ [Sp  Bf]i  A't }} ,  where  0A  and 
A'a  have  the  same  properties  as  before,  and  we  proceed  invoking  the  induction  hypothesis 


85 


twice. 


-  {M / xjA~ ni,  Sp  =  7Ti;  (\M/x\A~Sp) 

-  \M/x\a~ vr2;  Sp  =  7 r2;  ([M/xl^Sp) 

-  [M/a;]A_[t];  Sp  =  [t];  ([M/a^'Sp) 

3.5  Identity  expansion 

The  form  of  the  identity  expansion  theorems  is  already  available  to  us:  the  admissible  rules  //A+ 
and  r)A-  are  straightforward  generalizations  of  the  explicit  rules  r/+  and  rj  in  Figure  3.5  from 

^Ivl 

ordered  atomic  propositions  p+  and  p~  to  arbitrary  propositions  and  from  permeable  atomic 
propositions  p+ph,  p+ers,  and  pjax  to  arbitrary  permeable  propositions  A+ph,  A+ers  and  Ajax.  The 
content  of  Theorem  3.7  below  is  captured  by  the  two  admissible  rules  ija  i  and  >jA  and  also  by 
the  two  functions  and  rjA+  ( z.N )  and  r/A-  ( N )  that  operate  on  proof  terms. 

^ Ivl  "tuZ 

<t;e{z:(A+,)  M]  N  :  U  «;  A  h  N  :  (A„)  Ivl  A  stable, 

Lep+jT AAA-ATu  a-  . TAh'^r(^):"^ .  A“ 

Identity  expansion  is  not  the  perhaps  not  the  best  name  for  the  property;  the  name  comes 
from  the  fact  that  the  usual  identity  properties  are  a  corollary  of  identity  expansion.  Specifically, 
r)A+  ( z.z )  is  a  derivation  of  vh;  A+  b  A+  true  and  rjA-  ( x  ■  nil)  is  a  derivation  of  \17;  x:A~  ord  b 
A~. 

In  the  proof  of  identity  expansion,  we  do  pay  some  price  in  return  for  including  permeable 
propositions,  as  we  perform  slightly  different  bookkeeping  depending  on  whether  or  not  it  is 
necessary  to  apply  admissible  weakening  to  the  subderivation  N.  However,  this  cost  is  mostly 
borne  by  the  part  of  the  context  we  leave  implicit. 

Theorem  3.7  (Identity  expansion). 

*  If 'S’]  Q{z:(Ajvl)  Ivl}  b  U  and  A  matches  then  f;  A  b  (7. 

*  //$;  A  b  (A~[vi)  Ivl  and  A  is  stable,  then  $;Ab  Ajvl. 

Proof.  By  mutual  induction  over  the  structure  of  types.  We  provide  the  full  definition  at  the  level 
of  proof  terms  and  include  an  extra  explanatory  derivation  for  a  few  of  the  positive  cases. 

Positive  cases 

-  r,A(z.N)  =  (z).N 

A  is  a  derivation  of  T:  Q{z:p^vl  Ivl}  b  U\  the  result  follows  immediately  by  the  rule  r/+: 

^;0{z:p+  lvl}hN:U  + 
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Via-(z-N)  =  '  NIL)))/-]^) 

A  is  a  derivation  of  \1/;  0{;?:(04_)  ord}  h  U.  We  construct  a  context  5  that  contains  only 
the  persistent  propositions  from  A.  This  means  0({S,  x:A~  ord ]}  matches  Q{x:A~  ord}. 
We  can  then  derive: 


[A  ]  b  NIL  :  ( A  )  true 


id 


focus  L 

T:  H,  x:A  ord  b  x  ■  NIL  :  ( A  )  true 

. . . : .  rjA- 

VE';  H,  x:A~  ord  b  rjA-  ( x  ■  NIL)  :  A~  true 

't';  H,  x:A~  ord  b  \.(r]A-  (x  •  nil))  :  [fd~]  R 


it;  ©{2::(fT  )  ord}  b  N  :  U 


’Jh  Q{x:A  ord}  b  [(l(r]A- {x  ■  NlL)))/z]A  :  U 
W;  Q{IA~}  b  ix.([(i(VA-  (x  •  nil)))/*]  A)  :  U 


subsV 


h 


r}\A-  (z-N)  =  ix.([(i(r7A-(x-NlL)))/z]A) 

Via-  (z-N)  =  \x.([(\(rj; A-(x  ■  NIL)))/z]A) 

A  is  a  derivation  of  T:  0{^:(!A_)  Ivl}  h  U,  where  Ivl  can  be  anything  (ord,  eph,  or  pers ). 
We  construct  a  context  S  that  contains  only  the  persistent  propositions  from  A  and  a  frame 
0+  that  is  0  plus  an  extra  variable  declaration  x:A  pers.  This  means  that  Q{x:A~  pers} 
matches  0+{{(S,  x:A~  pers )  \lvl  ]f.  We  can  then  derive: 


S,  x:A  pers,  [A  ]  b  NIL  :  (A  )  true 
'Sr,Z,x  :A  pers  b  x  ■  NIL  :  (A  )  true 
S,  x:A~  pers  b  r/A-  (x  ■  nil)  :  A~  true 
'b;  S,  x:A~  pers  b  \(r]A-  (■ x  •  nil))  :  [!T_] 

T;  Q{x:A~  pers}  b  [(\(rjA-  (. x  •  NIL)))/z]A  :  U 
*  I  6{!T-}  b  \x.mVA-  (x  ■  NIL)))  A]  A)  :  U 


id 

focus L 
V  A- 
!r 


^;0{2:(fT-)  Ivl}  b  JV  :  J7 
^;0+{^(T4-j"i^}  b"7V":'[7 


weaken 

subst+ 


Vl(z.N)  =  ().([()/z}N) 

Va+1.b+1(z-n)  =  •(vA+l{z  1-  Vb+(z 2-  [(-1  •  z2)/z]N))) 

A  is  a  derivation  of  T;  Q{z:(A'lvl  •  B}fvl)  Ivl}  h  U,  where  Ivl  can  be  anything  (ord,  eph,  or 
pers).  We  construct  a  context  5  that  contains  only  the  persistent  propositions  from  A  and  a 
frame  @+  that  is  either  0  (if  Ivl  is  ord  or  eph )  or  it  is  0  plus  additional  variable  declarations 
zi:(^ivl)  and  z2'-(Btvi)  (if  lyl  is  pers).  This  means  that  Q{xi\(Alvl)  lvl,x2-{B+vl)  Ivl} 
matches  0+{{(H,  xi:(bl+ )  lvl,  x2:(Blvl)  Ivl)  \lvt  }}•  We  can  then  derive: 


VfZi^ziAAjj)  ld+  ^;s2b Z2:[b+v1]  ld+  ^ 

. R... . 

©i>i  '-(All)  Ivl,  z2:'(B+j  Ivl }  b  [01  •  z2)/z]N  :  U 

h^'(z^VzA/zm'-u  Bm 
. . .  1)  A+ 

^’Q{AivVBtvi}  h  Va+X2!- 7r+02-  [01  •  z2)/z]N))  :  U 

Ivl  Ivl  Q 

©040  •  Bh,i}  h  •(vA+Xz  1-  ??b+ 02-  [01  •  z2)/z\N)))  :  U 

Ivl  Ivl 


weaken 

subst+ 


Either  Si  and  S2  are  both  E,  zi.(Alvl)  Ivl,  z2.{B^vl)  Ivl  (if  Ivl  is  pers),  or  is  E,  zi-(Atvi) lvl 
and  S2  is  E,  z2'.(B£)l)  lvl  (if  lvl  is  ord  or  eph). 
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-  rjo(z.N)  =  ABORT 

-  Va+®b+(z-n)  =  [vA+(z  1-  [inl(2i )/z\N),rjB+(z2.  [inr(z2)/*]W)] 

-  %a:r.A+vl(Z-N)  =  a.T]A+{z' .  [(a,z')/z\N) 

-  rjt^TS(z.N)  =  UNIF  (fn  a  =>  [REFL/2;]  (aN)) 

Negative  cases 

-  (JV)  =  (N) 

-  VoaAN)  =  {[JV]({j^+(s.2)})} 

-  Va*~b~,(n)  =  A<(im+(s.  %- ([Af](j< NIL)))) 

Ivl  Ivl 

-  VA+^>Bf, (N)  =  A >(r]A+(z.  r]B-  ( [N] (^> NIL) ) ) ) 

-  rn(N)  =  T 

-  Va-.&b-W  =  (^-([^] (to; NIL)))  &  (r}B-{[N](Tr2;mL))) 

-  Vva:r.ATl(N)  =  M' ■  (VaTi  (M  ([«]  5  NIL))) 

□ 


3.6  Correctness  of  focusing 

Our  proof  of  the  correctness  of  focusing  is  based  on  erasure  as  described  in  Section  2.3.7.  The 
argument  follows  the  one  from  the  structural  focalization  development,  and  the  key  component 
is  the  set  of  unfocused  admissibility  lemmas,  lemmas  that  establish  that  each  of  the  reasoning 
steps  that  can  be  made  in  unfocused  OL3  are  admissible  inferences  made  on  stable  sequents  in 
focused  OL3. 

3.6.1  Erasure 

As  in  Section  2.3.7,  we  define  erasure  only  on  stable,  suspension-normal  sequents.  Erasure 
for  propositions  is  defined  as  in  Figure  3.8.  As  discussed  in  Section  2.5.4,  even  though  we 
have  not  incorporated  a  notion  of  permeable  and  mobile  atomic  propositions  into  the  unfocused 
presentation  of  OL3,  it  is  possible  to  erase  a  permeable  atomic  proposition  p+rs  as  !p+rs.3  In 
this  way,  we  can  see  the  separation  criteria  from  our  previous  work  [SP08,  PS09]  arising  as  an 
emergent  property  of  erasure. 

We  have  to  define  erasure  on  non-stable  sequents  in  order  for  the  soundness  of  focusing  to 
go  through,  though  we  will  only  define  erasure  on  suspension-normal  sequents.  The  erasure  of 
sequents,  U°,  maps  polarized  succedents  A+  Ivl,  (pfvl)  Ivl,  [ A+ ],  and  A~  in  the  obvious  way  to 
unpolarized  succedents  (A+)°  Ivl,  pM  Ivl,  (A+)°  ord,  and  (A“)°  ord,  respectively.  To  describe 
the  erasure  of  contexts  more  simply,  we  will  assume  that  we  can  give  a  presentation  of  unfocused 

3The  polarity  and  level  annotations  are  meaningless  in  the  unfocused  logic.  We  keep  them  only  to  emphasize 
that  Ppers  and  pjax  do  not  erase  to  the  same  unpolarized  atomic  proposition  p  but  two  distinct  unpolarized  atomic 
propositions. 
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(A+y 

(A-y 

(p+)° 

=  p+ 

(p-y 

C p%h)° 

IP  eph 

(P  Tax  ) 

( Ppers  ) 

• Ppers 

(A4“)° 

=  C A-y 

(fA+y 

(iA-)° 

=  M~y 

(oA+y 

(!A-)° 

=  KA~y 

(1)° 

=  1 

(A+- 

- B-y 

(A+ 

•  B+y 

=  (A+y  •(B+y 

(A+- 

-» B-y 

(o  y 

=  0 

07 

(A+ 

®B+y 

=  (A+y®  (B+y 

(A- 

&B~y 

(3a 

:t.A+)° 

=  3a:T.(A+)° 

(Va 

:T.A~y 

(t  =  s)° 

=  t  =  s 

p 

OPjax 

(A+y 

O  (A+)° 

(A+)°  >-►  (B+)° 
(A+)°  -»  (B~)° 
T 

(. A-)°&(B-)° 
\/a-.T.(A~)° 


Figure  3.8:  Erasure  in  OL3 


OL3  that  uses  unified  substructural  contexts,  as  we  outlined  in  Section  3.2;  the  judgments  of 
this  presentation  have  the  form  T:  A  =>■  U .  In  this  presentation,  we  can  define  A°  that  takes 
every  variable  declaration  x:A~  Ivl,  x:(pfvl)  Ivl,  [ A~ ],  or  A+  to  a  variable  declaration  x\(A~)°  Ivl, 
x\p+vl  Ivl,  x\(A~)°  ord,  or  x:(A+)°  ord  (and  in  the  process,  either  comes  up  with  or  reveals  the 
suppressed  variable  names  associated  with  focused  negative  propositions  and  inverting  positive 
propositions).  Erasure  of  succedents  U°  is  similar:  (A+  lvl)°  =  (A+)°  Ivl,  ((pZ,)  lvl)°  =  pZ,  Ivl, 
([A-])°  =  (A-)°  true,  and  (A+)°  =  (A+)°  true. 


3.6.2  De-focalization 

The  act  of  taking  a  focused  proof  of  a  sequent  and  getting  an  unfocused  proof  of  the  corre¬ 
sponding  erased  sequent  is  de-focalization.  If  we  run  the  constructive  content  of  the  proof  of  the 
soundness  of  focusing  (the  OL3  analogue  of  Theorem  2.5  from  Section  2.3.7),  the  proof  performs 
de-focalization. 

Theorem  3.8  (Soundness  of  focusing/de-focalization).  T/'T';  A  h  U,  then  'F;  A°  =>■  U°. 

Proof.  By  induction  over  the  structure  of  focused  proofs.  Most  rules  (•jJ,  -»r,  etc.)  in  the 
focused  derivations  have  an  obviously  analogous  rule  in  the  unfocused  logic,  and  for  the  four 
rules  dealing  with  shifts,  the  necessary  result  follows  directly  from  the  induction  hypothesis.  The 
focus L  rule  potentially  requires  an  instance  of  the  admissible  copy  or  place  rules  in  unfocused 
OL3,  and  the  focus R  rule  potentially  requires  an  instance  of  the  admissible  lax  rule  in  unfocused 
OL3.  □ 


3.6.3  Unfocused  admissibility 

Unfocused  admissibility  has  a  structure  that  is  unchanged  from  the  previous  discussion  in  the 
proof  of  the  completeness  of  focusing  for  linear  logic  (Theorem  2.6  in  Section  2.3.7).  In  this 
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Atomic  propositions 

* ;  (pm)  ^  * :  pIi  lvl'  * ;  x:Wvi  i“ x  •  t(4 -z--pm  'ivi' 

^',x'-Pm  1“  x  •  NIL  :  (pYvl)  lvl  x\pjvl  h  |(x  •  NIL)  :  \.pjvl  lvl 

Exponentials 

f;AhiV  :  A+  ord  \l/;  ®{x'\A~  ord}  F  N  :  U 

¥;'e{x7t|P'r^ 

$;Ah  N  :  ]A~  ord  ;  ®{x'-.A~  eph}  F  N  :  U 

A\eph  h  m/xj^-]VA-(x-UW.  (x'  •  NIL)))  :  \  A~  lvl  ¥;0{.x:'ti^“}  h  x-}\ x'.N  :  U 
A  F  N  :  IA~  ord  ®{x':A~  pers}  \~  N  :  U 

'I';  A\pers  F  [tAr/x]]^'4  ! Va~(x  '  UW-  ( x '  '  NIL)))  :  !Fl“  lvl  I-  x  ■  f  \x'.N  :  U 

f;Ah  JV  :  A+  lax  . 1L—E.. . 

WiKTJ{N}7ioA+M  v|/;  0{{.r:f  ,1 '  }}  I  [x  ■  pA+  (-'•  AT  :  U [lax 

Multiplicative  connectives  ( >— »  and  -»  are  symmetric ) 

^;0{-}  F  N  :  U 

¥••  f"() Tim  ¥70{¥:fij T "x-Jo'n'Tu 

'I' ;  Ai  F  N\  :  A+  ord  '3/ ;  A2  F  iV2  '■  B+  ord 
’F;  Ai,  A2  I-  ltNi/xii^+  (In2}^+Vb+(z2-  XI  •  tVA+(zi.  Zi  •  z2)))  :  A+  •  B+  lvl 

0{xi:tA+,  x2-tB+}  F  N:U 

*;  01x:t(A+  .  B+)}  F  x  •  t[^+U-  *7b+(>2.  4-t*i  •  Itz2))jm+^B+ •(lxi.lx2.N)  :  U 

vF;  x:YA+  ord,  A\~  N  :  \.B~  ord 

$;Ah  [(A<(|x.tA))/x/]^^^'*'S  (1\<pa+(z.  p  b-(x>  ■  (4-t^)<  (t-i-a;//-£c//  •  NIL))))  :  l(^4+  >— *  B 

Aa  F  JVi  :  A+  ord  ;  0{x':5-  ord}  hiV2:I/ 

¥;  {Aa,.t:¥+  >->  J5-}  F  iivj?7A+(z.  4-?7S-(x  •  3<NlL)j]i®'.iv2  :  U 

Figure  3.9:  Unfocused  admissibility  for  the  multiplicative,  exponential  fragment  of  OL3 


)  ord 
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A  h  Ni  :  A+  ord 

0{{a;:t61  P  x  •  tABORT  :  U  (F;  A  P  (Ni  j r)A+  (2 .  INL  (z)  j A+  :  A+  ®  B+  Ivl 

'F;  ©{^i:t-4+  ord}  h  :  U  'F;  0{.t, :t;B+  ord}  h  iV2  :  U 

0{{a-:t(^+  ©  B+)}  P  x  ■  :  U 

'F;  Q{Xl\A~  ord}  A\  :  U 

W-A 'P JY:JTM  ¥;0{jP:P'&  5-|Tl^P(P'-'Pi'rNILj7P',|/Y^P''^ 

T;  A  h  Ni  :  \.A~  ord  \F;  A  b  N2  :  \.B~  ord 
A  P  jj'ft/Vi  &  t N2)/xjl(riA-  (x  ■  7Ti;  tijj/-  V  ■  nil)  j  &  r)B-  (. . .)  j  :  |(^4"  &  B~j  Ivl 

Figure  3.10:  Unfocused  admissibility  for  the  additive  connectives  of  OL3  (omits  ©_r2,  &L2 ) 

$  h  t  :  t  'F;  A  h  N  :  [ t/a]A+  ord 
’F;  A  P  fivjj  (r)[t/a\A+  \z.  (t,z)  jj  :  3a:r.A+  "ivl 

'F,  a:r;  Q{x'-AA+  ord}  t~  N  :  U 

\F;  0({a;:t(3a:T.A+)]}  F  x  ■  t[ a.r]A+(z.  (a,  J,t^))]3a:r-'l't^+(a4a;/.A)  :  U 

\F,  a:r;  Ah  N  :  } ,A~  ord 

'F;  A  b  [[a]-tiV/a:]Va:T‘^  f ([a\.r)A-(x  ■  [a];  ti-lV-V  '  NIL)))  :  |(Va:r.A_)  Ivl 
$  h  t  :  t  'F;  ®{x' :\t / a]A~  ord}  h  N  :  U 

'F;  (-){{x:Va:r.A_}}  P  \r)[t/a]A-{x  •  [a];  NlL)/x'j N'  :  U  'F ;  •  P  refl  :  t  =  t  ivl 
V(vF'  h  a  :  \F).  at  =  as  — >  \F';  cr0{-}  h  </>(cr)  :  aU 

T;  0|x:t(f  =  s)f  P  x  ■  f(UNIF  (fn  a  =>■  <j)(a jj  j  :  U 

Figure  3.11:  Unfocused  admissibility  for  the  first-order  connectives  of  OL3 

presentation,  we  present  unfocused  admissibility  primarily  on  the  level  of  proof  terms.  The 
resulting  presentation  is  quite  dense;  proofs  of  this  variety  really  ought  to  be  mechanized,  though 
we  leave  that  for  future  work. 

For  the  most  part,  there  is  exactly  one  unfocused  admissibility  rule  for  each  rule  of  unfocused 
OL3.  The  justifications  for  the  unfocused  admissibility  lemmas  for  the  multiplicative,  exponen¬ 
tial  fragment  of  OL3  are  given  in  Figure  3.9;  the  additive  fragment  is  given  in  Figure  3.10,  and 
the  first-order  connectives  are  treated  in  Figure  3.11.  There  are  two  additional  rules  that  account 
for  the  fact  that  different  polarized  propositions,  like  and  A+  erase  to  the  same  unpolar¬ 

ized  proposition  {A+)° .  For  the  same  reason,  Figure  3.9  contains  four  id- like  rules,  since  atomic 
propositions  can  come  in  positive  and  negative  varieties  and  can  appear  in  the  context  either 
suspended  or  not. 

We  can  view  unfocused  admissibility  as  creating  an  abstraction  layer  of  admissible  rules  that 
can  be  used  to  build  focused  proofs  of  stable  sequents.  The  proof  of  the  completeness  of  focusing 
below  constructs  focused  proofs  entirely  by  working  through  the  interface  layer  of  unfocused 
admissibility. 
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3.6.4  Focalization 


The  act  of  taking  an  unfocused  proof  of  an  erased  sequent  and  getting  a  focused  proof  of  the  un¬ 
erased  sequent  is  focalization.  If  we  run  the  constructive  content  of  the  proof  of  the  completeness 
of  focusing  (the  OL3  analogue  of  Theorem  2.6  from  Section  2.3.7),  which  takes  any  stable, 
suspension-normal  sequent  as  input,  the  proof  performs  focalization. 

Theorem  3.9  (Complteness  of  focusing/focalization). 

A°  ==>-  U°,  where  A  and  U  are  stable  and  suspension-normal,  then  'k;  A  b  U. 

Proof.  By  an  outer  induction  on  the  structure  of  unfocused  proofs  and  an  inner  induction  over 
the  structure  of  polarized  formulas  A+  and  A~  in  order  to  remove  series  of  shifts  ||  ■  ■  ■  TA-W 
from  formulas  until  an  unfocused  admissibility  lemma  can  be  applied.  □ 


3.7  Properties  of  syntactic  fragments 

In  the  structural  focalization  methodology,  once  cut  admissibility  and  identity  expansion  are 
established  the  only  interesting  part  of  the  proof  of  the  completeness  of  focusing  is  the  definition 
of  an  erasure  function  and  the  presentation  of  a  series  of  unfocused  admissibility  lemmas.  The 
unfocused  admissibility  lemmas  for  non-invertible  rules,  like  •  /,>  and  >— >x,  look  straightforward: 

TqAib  A+ true  \k;  A2  b  B+  true  Aa\~  A+ ord  ^;Q{x':B~  ord}  b  U 

. M/:  AiTA7bTi':'''.'7F:'7r/ . i;"e| A^ "x:A+ 77 'jFjF  U . 

Because  unfocused  admissibility  is  defined  only  on  stable  sequents  in  our  methodology,  the 
invertible  rules,  like  and  >— require  the  presence  of  shifts: 

\k;  ©{xi:jb4+  ord ,  x2:f B+  ord}  b  U  vk;  x:fA+  ord,  A  b  \.B~  true 

. •"is+ji"  Tu . T- A':'''TrTr"— ''/} )  /r/ 

The  presence  of  shifts  is  curious,  due  to  our  observation  in  Section  3.3.2  that  the  shifts  have  much 
of  the  character  of  exponentials;  they  are  exponentials  that  do  not  place  any  restrictions  on  the 
form  of  the  context. 

As  a  thought  experiment,  imagine  the  removal  of  shifts  f  and  J,  from  the  language  of  propo¬ 
sitions  in  OL3.  Were  it  not  for  the  presence  of  atomic  propositions  p+  and  p~,  this  change 
would  make  every  proposition  A+  a  mobile  proposition  A+ph  and  would  make  every  proposi¬ 
tion  A~  a  right-permeable  proposition  Afax.  But  arbitrary  atomic  propositions  are  intended  to  be 
stand-ins  for  arbitrary  propositions!  If  arbitrary  propositions  lack  shifts,  then  non-mobile  atomic 
propositions  would  appear  to  no  longer  stand  for  anything.  Therefore,  let’s  remove  them  too, 
leaving  only  the  permeable,  mobile,  and  right-permeable  atomic  propositions  ppers,  Pgph,  and 
phx.  Having  done  so,  every  positive  proposition  is  mobile,  and  every  negative  proposition  is 
right-permeable. 

Now  we  have  a  logical  fragment  where  every  positive  proposition  is  mobile  and  every  nega¬ 
tive  proposition  is  observed  to  be  right-permeable.  Consider  a  derivation  f;A  b  A+  lax  where 
A  is  stable  and  includes  only  linear  and  persistent  judgments  (that  is,  A  \eph).  It  is  simple  to 
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observe  that,  for  every  subderivation  fk';  A'  b  U' ,  if  A'  is  stable  then  A'  =  A'  \  h,  and  if  U  is 
stable  then  U  =  U[lax .  Given  that  this  is  the  case,  the  restrictions  that  the  focused  \R  and  O l 
rules  make  are  always  satisfiable,  the  same  property  that  we  previously  observed  of  focused  shift 
rules  lR  and  )'r.  In  our  syntactic  fragment,  in  other  words,  the  exponentials  j  and  O  have  become 
effective  replacements  for  !  and  j\ 

The  cut  and  identity  theorems  survive  our  restriction  of  the  logic  entirely  intact:  these  the¬ 
orems  handle  each  of  the  connectives  separately  and  are  stable  to  the  addition  or  removal  of 
individual  connectives.  That  is  not  true  for  the  unfocused  admissibility  lemmas,  which  critically 
and  heavily  use  shifts.  However,  while  we  no  longer  have  our  original  shifts,  we  have  replace¬ 
ment  shifts  in  the  form  of  j  and  O,  and  can  replay  the  logic  of  the  unfocused  admissibility  lemmas 
in  order  to  gain  new  ones  that  look  like  this: 

'k;  Ai  b  A+  lax  vk;A2b  B+ lax  T;A^b  A+ lax  'k;  Q{x':B~  eph}  b  U 
. vl7;'A|';'A7b''I+'«'5+'/ax . ¥^0l;A^x:A+~S-j'b'ii7 . 

'k;  0{xi:jA+  eph,X2'.\B+  eph}  b  U  'k;  x\\A+  eph ,  A  b  O B  lax 

. ^JqIx-i(a+Vbt)}Tu . 

(To  be  clear,  just  as  all  the  unfocused  admissibility  lemmas  only  applied  to  stable  sequents,  the 
unfocused  admissibility  lemmas  above  only  apply  when  contexts  and  succedents  are  both  stable 
and  free  of  judgments  T  ord  and  T  true.) 

The  point  of  this  exercise  is  that,  given  the  definition  and  metatheory  of  OL3,  there  is  a 
reasonably  large  family  of  related  systems,  including  ordered  linear  logic,  lax  logic,  linear  lax 
logic,  and  linear  logic,  that  can  be  given  erasure -based  focalization  proofs  relative  to  OL3;  at 
most,  the  erasure  function  and  the  unfocused  admissibility  lemmas  need  to  be  adapted.  The 
fragment  we  have  defined  here  corresponds  to  regular  linear  logic.  In  the  erasure  of  polarized 
OL3  propositions  to  linear  logic  propositions,  the  “pseudo-shifts”  O  and  j  are  wiped  away: 
(Od+)°  =  (A+)°  and  (jA_)°  =  (A_)°.  Additionally,  the  two  implications  are  conflated: 
(A+  >— ►  B~)°  =  ( A+  -»  B~)°  =  (A+)°  — °  ( B~)° .  Beyond  that,  and  the  renaming  of  fuse 
to  tensor  -  ( A+  •  B+)°  =  (A+)°  ®  ( B+)°  -  the  structure  of  erasure  remains  intact,  and  we  can 
meaningfully  focalize  unfocused  linear  logic  derivations  into  focused  OL3  derivations. 


3.8  The  design  space  of  proof  terms 

In  the  design  space  of  logical  frameworks,  our  decision  to  view  proof  terms  E  as  being  fully 
intrinsically  typed  representatives  of  focused  derivations  is  somewhat  unusual.  This  is  because, 
in  a  dependently  typed  logical  framework,  the  variable  substitution  theorem  (which  we  had  to 
establish  very  early  on)  and  the  cut  admissibility  theorem  (which  we  established  much  later)  are 
effectively  the  same  theorem;  handling  everything  at  once  is  difficult  at  best,  and  dependent  types 
seem  to  force  everything  to  be  handled  at  once  in  an  intrinsically  typed  presentation. 

Since  the  advent  of  Watkins’  observations  about  the  existence  of  hereditary  substitution  and 
its  application  to  logical  frameworks  [WCPW02],  the  dominant  approach  to  the  metatheory  of 
logical  frameworks  has  to  define  proof  terms  E  that  have  little,  if  any,  implicit  type  structure:  just 
enough  so  that  it  is  possible  to  define  the  hereditary  substitution  function  \M/x\E.  The  work 
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by  Martens  and  Crary  goes  further,  treating  hereditary  substitution  as  a  relation,  not  a  function, 
so  that  absolutely  no  intrinsic  type  system  is  necessary,  and  the  proof  terms  are  merely  untyped 
abstract  binding  trees  [MCI 2]. 

If  we  were  to  take  such  an  approach,  we  would  need  to  treat  the  judgment  'k;  A  b  E  :  U 
as  a  genuine  four-place  relation,  rather  than  the  three-place  relation  $;A  h  [/  annotated  with  a 
derivation  E  of  that  sequent.  Then,  the  analogue  of  cut  admissibility  (part  4)  would  show  that  if 
\k;  A  b  M  :  A~  and  'k;  Q{x:A~  Ivl}  b  E  :  U,  and  S  matches  0{{A[M ]},  then  'k;  S  b  [M /x\ E  : 
U,  where  \M  /x\E  is  some  function  on  proof  terms  that  has  already  been  defined,  rather  than  just 
an  expression  of  the  computational  content  of  the  theorem.  Being  able  to  comfortably  conflate 
the  computational  content  of  a  theorem  with  its  operation  on  proof  terms  is  the  primary  advantage 
of  the  approach  taken  in  this  chapter;  it  avoids  a  great  deal  of  duplicated  effort.  The  cost  to  this 
approach  is  that  we  cannot  apply  the  modern  Canonical  LF  methodology  in  which  we  define  a 
proof  term  language  that  is  intrinsically  only  simply  well-typed  and  then  overlay  a  dependent 
type  system  on  top  of  it  (this  is  discussed  in  Section  4.1.2  in  the  context  of  LF).  As  we  discuss 
further  in  Section  4.7.3,  this  turns  out  not  to  be  a  severe  limitation  given  the  way  we  want  to  use 
OL3. 

It  is  not  immediately  obvious  how  the  substitution  \M/x\E  could  be  defined  without  ac¬ 
counting  for  the  full  structure  of  derivations.  The  rightist  substitution  function,  in  particular,  is 
computationally  dependent  on  the  implicit  bookkeeping  associated  with  the  matching  constructs, 
and  that  bookkeeping  is  more  of  an  obstacle  in  our  setting  than  the  implicit  type  annotations. 
The  problem,  if  we  wish  to  see  it  as  a  problem,  is  that  we  cannot  substitute  a  derivation  M  of 
$;A  b  A~  into  a  derivation  E  of  \k;  Q{x:A~  ord}  b  U  unless  x  is  actually  free  in  E.  Therefore, 
when  we  try  to  substitute  the  same  M  into  V\  •  V2,  we  are  forced  to  determine  what  judgment  x 
is  associated  with;  if  x  is  associated  with  a  linear  or  ephemeral  judgment,  we  must  track  which 
subderivation  x  is  assigned  to  in  order  to  determine  what  is  to  be  done  next. 

Fine-grained  tracking  of  variables  during  substitution  is  both  very  inefficient  when  type  the¬ 
ories  are  implemented  as  logical  frameworks  and  unnatural  to  represent  for  proof  assistants  like 
Twelf  that  implement  a  persistent  notion  of  bound  variables.  Therefore  other  developments 
have  addressed  this  problem  (see,  for  example,  Cervesato  et  al.  [CdPR99],  Schack-Nielsen  and 
Schiirmann  [SNS10],  and  Crary  [CralO]).  It  might  be  possible  to  bring  our  development  more  in 
line  with  these  other  developments  by  introducing  a  new  matching  construct  of  substitution  into 
contexts,  the  substitution  construct  [A /{x\A~  IvlfE.  If  5  =  Q{x:A~  Ivl},  then  this  would  be  the 
same  as  0j[A ]f,  but  if  x  is  not  in  the  variable  domain  of  S,  then  S  matches  [A/ (x:A~  lvl)]E. 

A\lvl  $;Ab  M:A~  'k;  E  b  E  :  U  A  stableL  {M/xjE  =  E' 

. W;\KJ&:A^'iviy\zFF7u . rcut 

Using  this  formulation  of  rcut,  it  becomes  unproblematic  to  define  [M/x]  (Vj  •  If  )  as  substitut¬ 
ing  M  into  both  V\  and  V2,  as  we  are  allowed  to  substitute  for  x  even  in  terms  where  the  variable 
cannot  appear.  Using  this  strategy,  it  should  be  possible  to  describe  and  formalize  the  develop¬ 
ment  in  this  chapter  with  proof  terms  that  do  nothing  more  than  capture  the  binding  structure  of 
derivations. 

The  above  argument  suggests  that  the  framing-off  operation  is  inconvenient  to  use  for  speci¬ 
fying  the  rcut  part  of  cut  admissibility,  because  it  forces  us  to  track  where  the  variable  ends  up  and 


94 


direct  the  computational  content  of  cut  admissibility  accordingly.  However,  the  development  in 
this  chapter  shows  that  it  is  clearly  possible  to  define  cut  admissibility  in  terms  of  the  framing-off 
operation  0{{  A]}.  That  is  not  necessarily  the  case  for  every  logic.  For  instance,  to  give  a  focused 
presentation  of  Reed’s  queue  logic  [Ree09c],  we  would  need  a  matching  construct  [A/x]E  that 
is  quite  different  from  the  framing-off  operation  Aj{a;:A_]f  used  to  describe  the  logic’s  left  rules. 
I  conjecture  that  logics  where  the  framing-off  operation  is  adequate  for  the  presentation  of  cut 
admissibility  are  the  same  as  those  logics  which  can  be  treated  in  Belnap’s  display  logic  [Bel82]. 


95 


96 


Chapter  4 

Substructural  logical  specifications 


In  this  chapter,  we  design  a  logical  framework  of  substructural  logical  specifications  (SLS), 
a  framework  heavily  inspired  by  the  Concurrent  Logical  Framework  (CLF)  [WCPW02].  The 
framework  is  justified  as  a  fragment  of  the  logic  OL3  from  Chapter  3.  There  are  a  number  of 
reasons  why  we  do  not  just  use  the  already-specified  OL3  outright  as  a  logical  framework. 

*  Formality.  The  specifics  of  the  domain  of  first-order  quantification  in  OL3  were  omitted  in 
Chapter  3,  so  in  Section  4.1  we  give  a  careful  presentation  of  the  term  language  for  SLS, 
Spine  Form  LF. 

*  Clarity.  The  syntax  constructions  that  we  presented  for  OL3  proof  terms  had  a  1-to-l 
correspondence  with  the  sequent  calculus  rules;  the  drawback  of  this  presentation  is  that 
large  proof  terms  are  notationally  heavy  and  difficult  to  read.  The  proof  terms  we  present 
for  SLS  will  leave  implicit  some  of  the  information  present  in  the  diacritical  marks  of 
OL3  proof  terms. 

An  implementation  based  on  these  proof  terms  would  need  to  consider  type  reconstruc¬ 
tion  and/or  bidirectional  typechecking  to  recover  the  omitted  information,  but  we  will  not 
consider  those  issues  in  this  dissertation. 

*  Separating  concurrent  and  deductive  reasoning.  Comparing  CLF  to  OL3  leads  us  to  con¬ 
clude  that  the  single  most  critical  design  feature  of  CLF  is  its  omission  of  the  proposition 
jL4+.  This  single  omission1  means  that  stable  sequents  in  CLF  or  SLS  are  effectively 
restricted  to  have  the  succedent  ( p~ )  true  or  the  succedent  A+  lax. 

Furthermore,  any  left  focus  when  the  succedent  is  ( p~ )  true  must  conclude  with  the  rule 
id~ ,  and  any  left  focus  when  the  succedent  is  A+  lax  must  conclude  with  O l  -  without 
the  elimination  of  jL4+,  left  focus  in  both  cases  could  additionally  conclude  with  the  rule 
This  allows  derivations  that  prove  (p~)  true  -  the  deductive  fragment  of  CLF  or  SLS 
-  to  adequately  represent  deductive  systems,  conservatively  extending  deductive  logical 
frameworks  like  LF  and  LLF.  Derivations  that  prove  A+  lax,  on  the  other  hand,  fall  into  the 
concurrent  fragment  of  CLF  and  SLS  and  can  encode  evolving  systems.  These  fragments 
have  interesting  logic  programming  interpretations,  which  we  explore  in  Section  4.6. 

'in  our  development,  the  omission  of  right-permeable  propositions  j)Ja:i  from  OL3  is  equally  important,  but 
permeable  propositions  as  we  have  presented  them  in  Section  2.5.4  were  not  a  relevant  consideration  in  the  design 
of  CLF. 
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*  Partial  proofs.  The  design  of  CLF  makes  it  difficult  to  reason  about  and  manipulate  the 
proof  terms  corresponding  to  partial  evaluations  of  evolving  systems  in  the  concurrent 
fragment:  the  proof  terms  in  CLF  correspond  to  complete  proofs  and  partial  evaluations 
naturally  correspond  to  partial  proofs. 

The  syntax  of  SLS  is  designed  to  support  the  explicit  representation  of  partial  OL3  proofs. 
The  omission  of  the  propositions  0,  A+  ©  B+,  and  the  restrictions  we  place  on  t  =T  s 
are  made  in  the  service  of  presenting  a  convenient  and  simple  syntax  for  partial  proofs. 
The  three  syntactic  objects  representing  partial  proofs ,  patterns  (Section  4.2.4),  steps,  and 
traces  (Section  4.2.6),  allow  us  to  treat  proof  terms  for  evolving  systems  as  first-class 
members  of  SLS. 

The  removal  of  0  and  A+  ©  B+,  and  the  restrictions  we  place  on  t  =T  s,  also  assist 
in  imposing  an  equivalence  relation,  concurrent  equality ,  on  SLS  terms  in  Section  4.3. 
Concurrent  equality  is  a  coarser  equivalence  relation  than  the  a-cquivalcncc  of  OL3  terms. 

*  Removal  of  T.  The  presence  of  T  causes  pervasive  problems  in  the  design  of  substruc- 
tural  logical  frameworks.  Many  of  these  problems  arise  at  the  level  of  implementation  and 
type  reconstruction,  which  motivated  Schack-Nielsen  to  remove  T  from  the  Celf  imple¬ 
mentation  of  CLF  [SN1 1],  Even  though  those  considerations  are  outside  the  scope  of  this 
dissertation,  the  presence  of  T  causes  other  pervasive  difficulties:  for  instance,  the  pres¬ 
ence  of  T  complicates  the  discussion  of  concurrent  equality  in  CLF.  We  therefore  follow 
Schack-Nielsen  in  removing  T  from  SLS. 

In  summary,  with  SLS  we  simplify  the  presentation  of  OL3  for  convenience  and  readability, 
restrict  the  propositions  of  OL3  to  separate  concurrent  and  deductive  reasoning  and  to  make  the 
syntax  for  partial  proofs  feasible,  and  extend  OL3  with  a  syntax  for  partial  proofs  and  a  coarser 
equivalence  relation. 

In  Section  4. 1  we  review  the  term  language  for  SLS,  Spine  Form  LF.  In  Section  4.2  we  present 
SLS  as  a  fragment  of  OL3,  and  in  Section  4.3  we  discuss  concurrent  equality.  In  Section  4.4  we 
adopt  the  methodology  of  adequate  encoding  from  LF  to  SLS,  in  the  process  introducing  genera¬ 
tive  signatures,  which  play  a  starring  role  in  Chapter  9.  In  Section  4.5  we  cover  the  SLS  prototype 
implementation,  and  in  Section  4.6  we  review  some  intuitions  about  logic  programming  in  SLS. 
Finally,  in  Section  4.7,  we  discuss  some  of  the  decisions  reflected  in  the  design  of  SLS  and  how 
some  decisions  could  have  been  potentially  been  made  differently. 


4.1  Spine  Form  LF  as  a  term  language 

Other  substructural  logical  frameworks,  like  Cervesato  and  Pfenning’s  LLF  [CP02],  Polakow’s 
OLF  [PolOl],  and  Watkins  et  al.’s  CLF  [WCPW02]  me,  fully -dependent  type  theories :  the  lan¬ 
guage  of  terms  (that  is,  the  domain  of  first-order  quantification)  is  the  same  as  the  language  of 
proof  terms,  the  representatives  of  logical  derivations.  The  logical  framework  SLS  presented  in 
this  chapter  breaks  from  this  tradition  -  a  choice  we  discuss  further  in  Section  4.7.3.  The  domain 
of  first-order  quantification,  which  was  left  unspecified  in  Chapter  3,  will  be  presently  described 
as  Spine  Form  LF,  a  well-understood  logical  framework  derived  from  the  normal  forms  of  the 
purely  persistent  type  theory  LF  [HHP93]. 


98 


All  the  information  in  this  section  is  standard  and  adapted  from  various  sources,  especially 
Harper,  Honsell,  and  Plotkin’s  original  presentation  of  LF  [HHP93],  Cervesato  and  Pfenning’s 
discussion  of  spine  form  terms  [CP02],  Watkins  et  al.’s  presentation  of  the  canonical  forms  of 
CLF  [WCPW02],  Nanevski  et  al.’s  dependent  contextual  modal  type  theory  [NPP08],  Harper 
and  Licata’s  discussion  of  Canonical  LF  [HL07],  and  Reed’s  spine  form  presentation  of  HLF 
[Ree09a] . 

It  would  be  entirely  consistent  for  us  to  appropriate  Harper  and  Licata’s  Canonical  LF  presen¬ 
tation  instead  of  presenting  Spine  Form  LF.  Nevertheless,  a  spine-form  presentation  of  canonical 
LF  serves  to  make  our  presentation  more  uniform,  as  spines  are  used  in  the  proof  term  language 
of  SLS.  Canonical  term  languages  like  Canonical  LF  correspond  to  normal  natural  deduction  pre¬ 
sentations  of  logic,  whereas  spine  form  term  languages  correspond  to  focused  sequent  calculus 
presentations  like  the  ones  we  have  considered  thus  far. 

4.1.1  Core  syntax 

The  syntax  of  Spine  Form  LF  is  extended  in  two  places  to  handle  SLS:  rules  r  :  A~  in  the 
signature  contain  negative  SLS  types  A~  (though  it  would  be  possible  to  separate  out  the  LF 
portion  of  signatures  from  the  SLS  rules),  and  several  new  base  kinds  are  introduced  for  the  sake 
of  SLS  -  prop,  prop  ord,  prop  lin,  and  prop  pers. 


Signatures 

E  : 

:=  •  E,  c  :  t  E,  a  :  k 

£,r  :  ,4- 

Variables 

a,  b  : 

:=  .  . . 

Variable  contexts 

T  : 

:=  •  T,  a:r 

Kinds 

K 

:=  II  a\r.K  type  prop 

prop  ord  prop  lin 

prop  pers 

Types 

T 

:=  II cc.t.t'  a  ■  sp 

Heads 

h  : 

a  c 

Normal  terms 

t,  s 

:=  A a.t  \  h  ■  sp 

Spines 

sp  : 

■=  t-  sp  |  () 

Substitutions 

a  : 

\  t/a,a  \  b//a,a 

Types  r  and  kinds  k  overlap,  and  will  be  referred  to  generically  as  classifiers  v  when  it  is  con¬ 
venient  to  do  so;  types  and  kinds  can  be  seen  as  refinements  of  classifiers.  Another  important 
refinement  are  atomic  classifiers  a  ■  sp,  which  we  abbreviate  as  p. 

LF  spines  sp  are  just  sequences  of  terms  (tp  (. . . ;  (tn;  ())...));  we  follow  common  conven¬ 
tion  and  write  ht\ . . .  tn  as  a  convenient  shorthand  for  the  atomic  term  h  ■  (tp  . . . ;  (tn,  ()) . . .); 
similarly,  we  will  write  a  ti . . .  tn  as  a  shorthand  for  atomic  classifiers  a  •  (tp  (. . . ;  (tn;  ()) . . .)). 
This  shorthand  is  given  a  formal  justification  in  [CP02];  we  will  use  the  same  shorthand  for 
SLS  proof  terms  in  Section  4.2.5. 

4.1.2  Simple  types  and  hereditary  substitution 

In  addition  to  LF  types  like  na:(nz:(al  ■  spfi).  (a2  •  sp2)).  Fh/:(a3  ■  sp3).  (a4  •  sp4),  both  Canon¬ 
ical  LF  and  Spine  Form  LF  take  simple  types  into  consideration.  The  simple  type  corresponding 


99 


t  O  sp 

( Xa.t ')  o  (£;  sp)  =  It/ajif  o  sp 
h  ■  sp  o  ()  =  h  ■  sp 


[  t/aj sp 

{t/a\{t'-  sp)  =  [ t/ajt1]  [ t/ajsp 
I  t/a}0  =  0 


[  t/a}t 

{t/aj (Xy.t')  =  X b.  \t/a\t' 
lt/aj  (a  ■  sp)  =  t  o  lt/aj  sp 
{t/aj  ( h  ■  sp)  =  h  ■  lt/aj  sp 


(a  ^  b) 
(if  h^a) 


Figure  4.1:  Hereditary  substitution  on  terms,  spines,  and  classifiers 


to  the  type  above  is  (al  — »  a2)  — »  a3  — >  a4,  where  — >  associates  to  the  right.  The  simple 
type  associated  with  the  LF  type  r  is  given  by  the  function  |r|_  =  ts,  where  a  ■  sp\  =  a  and 
|II a\T.r'\~  =  \t\~  — >  |t'|~. 

Variables  and  constants  are  treated  as  having  an  intrinsic  simple  type;  these  intrinsic  simple 
types  are  sometimes  written  explicitly  as  annotations  aTs  or  cTs  (see  [Pfe08]  for  an  example),  but 
we  will  leave  them  implicit.  An  atomic  term  h  t  \  ...  tn  must  have  a  simple  atomic  type  a.  This 
means  that  the  head  h  must  have  simple  type  rsi-f...4rs„->a  and  each  t,  much  have  simple 
type  tsi.  Similarly,  a  lambda  term  Xa.t  must  have  simple  type  ts  — >  r'  where  a  is  a  variable  with 
simple  type  ts  and  t  has  simple  type  r'. 

Simple  types,  which  are  treated  in  full  detail  elsewhere  [HL07,  Ree09a],  are  critical  be¬ 
cause  they  allow  us  to  define  hereditary  substitution  and  hereditary  reduction  as  total  functions 
in  Figure  4.1.  Intrinsically-typed  Spine  Form  LF  terms  correspond  to  the  proof  terms  for  a 
focused  presentation  of  (non-dependent)  minimal  logic.  Hereditary  reduction  t  o  sp  and  hered¬ 
itary  substitution  |t/a]t',  which  are  both  implicitly  indexed  by  the  simple  type  ts  of  t,  cap¬ 
ture  the  computational  content  of  structural  cut  admissibility  on  these  proof  terms.  Informally, 
the  action  of  hereditary  substitution  is  to  perform  a  substitution  into  a  term  and  then  continue 
to  reduce  any  (3- redexes  that  would  introduced  by  a  traditional  substitution  operation.  There¬ 
fore,  [A  x.x/fj  (a  (/  b)  (/  c))  is  not  a  ((Ax.x)  b)  ((Xx.x)  c )  -  that’s  not  even  a  syntactically  well- 
formed  term  according  to  the  grammar  for  Spine  Form  LF.  Rather,  the  result  of  that  hereditary 
substitution  is  a  b  c. 


4.1.3  Judgments 

Hereditary  substitution  is  necessary  to  define  simultaneous  substitution  into  types  and  terms  in 
Figure  4.2.  We  will  treat  simultaneous  substitutions  in  a  mostly  informal  way,  relying  on  the 
more  careful  treatment  by  Nanevski  et  al.  [NPP08].  A  substitution  takes  every  variable  in  the 
context  and  either  substitutes  a  term  for  it  (the  form  a,t/a)  or  substitutes  another  variable  for  it 
(the  form  a,  b//a).  The  latter  form  is  helpful  for  defining  identity  substitutions,  which  we  write 
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a(sp) 

a(t') 

a(t'-,sp)  =  a(t');a(sp ) 

a(Xa.t') 

=  A  a.  ( a ,  a//a)(t') 

(a#cr) 

*0  =  () 

a (a  ■  sp) 

=  to  a(sp) 

t/a  G  a 

a (a  ■  sp) 
cr(c  ■  sp) 

=  b  ■  a(sp) 

=  c  ■  a(sp) 

b//a  G  a 

ov  | 

o{Tlb:v.v')  =  II b:ou.  {a,b//b)v' 

cr(type)  =  type 
er(prop)  =  prop 
cr(propord)  =  propord 
er( prop  lin)  =  prop  lin 
er(prop  pers)  =  prop  pers 
cr(a  •  sp)  =  a  •  asp 


(a  ±  b ) 


Figure  4.2:  Simultaneous  substitution  on  terms,  spines,  and  classifiers 


as  id  or  id^,  as  well  as  generic  substitutions  [t/a]  that  act  like  the  identity  on  all  variables  except 
for  a;  the  latter  notation  is  used  in  the  definition  of  LF  typing  in  in  Figure  4.3,  which  is  adapted 
to  Spine  Form  LF  from  Harper  and  Licata’s  Canonical  LF  presentation  [HL07].  The  judgments 
a//a,  <7#T.  c#£,  a#£,  and  r#£  assert  that  the  relevant  variable  or  constant  does  not  already 
appear  in  the  context  'k  (as  a  binding  a:r),  the  signature  £  (as  a  declaration  c  :  r,  a  :  u,  or 
r  :  A~),  or  the  substitution  a  (as  a  binding  t/a  orb //a). 

All  the  judgments  in  Figure  4.3  are  indexed  by  a  transitive  subordination  relation  77.,  sim¬ 
ilar  to  the  one  introduced  by  Virga  in  [Vir99].  The  subordination  relation  is  used  to  deter¬ 
mine  if  a  term  or  variable  of  type  r\  can  be  a  (proper)  sub  term  of  a  term  of  type  r2.  Uses 
of  subordination  appear  in  the  definition  of  well-formed  equality  propositions  t  =T  s  in  Sec¬ 
tion  4.2,  in  the  preservation  proofs  in  Section  9.5,  and  in  adequacy  arguments  (as  discussed 
in  [HL07]).  We  treat  77.  as  a  binary  relation  on  type  family  constants.  Let  head(r)  =  a  if 
t  =  IlaiiTi. .  .Uam:rm.  a  •  sp.  The  signature  formation  operations  depend  on  three  judgments. 
The  index  subordination  judgment,  k  rn  a,  relates  type  family  constants  to  types.  It  is  always 
the  case  that  k  =  na1:T1.. . .  IIan:Tn.type,  and  the  judgment  k  IZ^  a  holds  if  (head(rj),  a)  G  77. 
for  1  <  i  <  n.  The  type  subordination  judgment  r  -<ti  t'  holds  if  (head(r),  head(r'))  G  77.,  and 
the  judgment  r  An  t'  is  the  symmetric  extension  of  this  relation. 

In  Figure  4.3,  we  define  the  formation  judgments  for  LF.  The  first  formation  judgment  is 
\~-ii  £sig,  which  takes  a  context  £  and  determines  whether  it  is  well-formed.  The  premise 
r  -<n  r  is  used  in  the  definition  of  term  constants  to  enforce  that  only  self-subordinate  types 
can  have  constructors.  This,  conversely,  means  that  types  that  are  not  self-subordinate  can  only 
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I ~n  Ssig 


b-^Esig  •  I- t.,tz  Ttype  r  -<n  r  c#E 


b^-sig  b^  (E,c  :  r)sig 

b^Esig  •  l~s,7£  k  kind  k  On  a  a#E  b-^Esig  •;  •  \-^n  A-  prop- 


r#S 


hSi7e  'I'  ctx 


(E,  a  :  At)  sig 
-  presumes  \-n  E  sig 


I ~n  (E,r  :  A  )  sig 
hs^'I'ctx  'Pbs^  rtype  a #\P 


bs,7?.  ■  ctx 


I~z,-r  (y.a-.r)  ctx 


^  hztK  k  kind 


-  presumes  bs^  'P  ctx 


^  \~E,n  Ttype  a:r  hs  ^  ac  kind 
\~z,n  (na:r.Ac)  kind 


'P  hs,7 z  type  kind  'P  hs,7?  prop  kind 


'P  bs  ^  (prop  ord)  kind  ^  hs  ^  (prop  lin)  kind  hS)7t  (prop  pers)  kind 


\P  |-S)7e  rtype  -  presumes  vP  ctx 

iP  rtype  vp,  a:r  hSi7e  r' type  r  -<n  r'  a\K  G  E  vp,  [k]  hS)7e  sp  :  type 


'P  I“e,k  (IIo:r.r')  type 


'P  I“e,w  (a  •  sp)  type 


'P  I- z,tz  t  :  T 


-presumes  'P  b y,,h  t type 

'P,  a:r  \~Y.,n  t  :  r'  c  :  r  G  E  \P,  [r]  bSi7e  sp  :  r'  r'  =  p 
'P  l“E,7t  A a.t  :  ILzxr.r'  'P  bs  n  c  ■  sp  :  p 

a:r  G  'P  VP,  [r]  b^  sp  :  t'  t'  —  p 
'p  bSi7 z  a  -  sp  :  p 


'Pj  [u\  sp  :  is o  -  presumes  that  either  'P  ^  z/  type  or  that  'P  bE^  z/  kind 

'P  bs ,n  t  :  r  [t/a]zA  =  z/'  \P,  [zb]  bE)7e  sp  :  z/0 


'Pj  H  I- s,7e  ()  :  v 


'P,  [II aiT.is]  \~^n  t:  sp  :  is0 


<P  b  a  :  4b  -  presumes  hE,7?  'P  ctx  and  b VP/  ctx 

'P  b Yl,iz  rr  •  'P/  'P  b E)7t  t  \  (J T  rjz  b Ej7^.  Cf  :  'P/  b'.tJT  G  \P 


vp  b 


S  ,Tl  ■  ■  ■ 


'P  b Y,,n  (cr,t/a)  :  'P/,a:r  \P  bSj^  {a,b//a)  :  'P ',a:r 


Figure  4.3:  LF  formation  judgments  (r7  =  p  refers  to  a-cquivalcnce) 
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be  inhabited  by  variables  a,  which  is  important  for  one  of  the  two  types  of  equality  t  =T  s  that 
SLS  supports.  The  judgments  \~T.,n  'k  ctx,  T  kind,  and  T  \--zyn  rtype  take  contexts 

\k,  kinds  k,  and  types  r  and  ensure  that  they  are  well-formed  in  the  current  signature  or  (if 
applicable)  context.  The  judgment  T  t:r  takes  a  term  and  a  type  and  typechecks  the  term 
against  the  type,  and  the  judgment  T  hv/R  a  :  T'  checks  that  a  substitution  a  can  transport 
objects  (terms,  types,  etc.)  defined  in  the  context  T'  to  objects  defined  in  T. 

The  judgment  T,  [//]  hv:;R,  sp  :  is  read  a  bit  differently  than  these  other  judgments.  The 

notation,  first  of  all,  is  meant  to  evoke  the  (exactly  analogous)  left-focus  judgments  from  Chap¬ 
ters  2  and  3.  In  most  other  sources  (for  example,  in  [CP02])  this  judgment  is  instead  written  as 
'k  b }2.'r.  sp  :  v  >  v 0.  In  either  case,  we  read  this  judgment  as  checking  a  spine  sp  against  a  classi¬ 
fier  v  (actually  either  a  type  r  or  a  kind  n)  and  synthesizing  a  return  classifier  u0.  In  other  words, 
u0  is  an  output  of  the  judgment  T.  [v]  bE;R.  sp  :  and  given  that  this  judgment  presumes  that 

either  \k  \~T.,n  z^type  or  'k  v  kind,  it  ensures  that  either  T  retype  or  \k  bS)7^  u0  kind, 
where  the  classifiers  of  v  and  z/0  (type  or  kind)  always  match.  It  is  because  u0  is  an  output  that 
we  add  an  explicit  premise  to  check  that  r'  =  p  in  the  typechecking  rule  for  c  ■  sp;  this  equality 
refers  to  the  o-cquality  of  Spine  Form  LF  terms. 

There  are  a  number  of  well-formedness  theorems  that  we  need  to  consider,  such  as  the  fact 
that  substitutions  compose  in  a  well-behaved  way  and  that  hereditary  substitution  is  always  well- 
typed.  However,  as  these  theorems  are  adequately  covered  in  the  aforementioned  literature  on 
LF,  we  will  proceed  with  using  LF  as  a  term  language  and  will  treat  term-level  operations  like 
substitution  somewhat  informally. 

We  will  include  annotations  for  the  signature  £  and  the  subordination  relation  TZ  in  the  def¬ 
initions  of  this  section  and  the  next  one.  In  the  following  sections  and  chapters,  however,  we 
will  often  leave  the  signature  £  implicit  when  it  is  unambiguous  or  unimportant.  We  will  almost 
always  leave  the  subordination  relation  implicit;  we  can  assume  where  applicable  that  we  are 
working  with  the  strongest  (that  is,  the  smallest)  subordination  relation  for  the  given  signature 
[HL07], 

4.1.4  Adequacy 

Adequacy  was  the  name  given  by  Harper,  Honsell,  and  Plotkin  to  the  methodology  of  connecting 
inductive  definitions  to  the  canonical  forms  of  a  particular  type  family  in  LF.  Consider,  as  a 
standard  example,  the  untyped  lambda  calculus,  which  is  generally  specified  by  a  BNF  grammar 
such  as  the  following: 

e  ::=  x  \  Xx.e  \  e\ 

We  can  adequately  encode  this  language  of  terms  into  LF  (with  a  subordination  relation  1Z  such 
that  (exp,  exp)  G  TZ)  by  giving  the  following  signature: 

£  =  •, 

exp  :  type, 

app  :  na:exp.  nfrexp.  exp, 
lam  :  na:(n6:exp.  exp),  exp 
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Note  that  the  variables  a  and  b  are  bound  by  Il-quantifiers  in  the  declaration  of  app  and  lam  but 
never  used.  The  usual  convention  is  to  abbreviate  II cv.t.t'  as  r  — »  r'  when  a  is  not  free  in  r', 
which  would  give  app  type  exp  — »  exp  — y  exp  and  lam  type  (exp  — y  exp)  — s-  exp. 

Theorem  4.1  (Adequacy  for  terms).  Up  to  standard  a-equivalence,  there  is  a  bijection  between 
expressions  e  (with  free  variables  in  the  set  {xi, . . . ,  xn } )  and  Spine  Form  LF  terms  t  such  that 
oqiexp, . . .  ,  xn:exp  F  t  :  exp. 

Proof.  By  induction  on  the  structure  of  the  inductive  definition  of  e  in  the  forward  direction  and 
by  induction  on  the  structure  of  terms  t  with  type  exp  in  the  reverse  direction.  □ 

We  express  the  constructive  content  of  this  theorem  as  an  invertible  function  ren  =  t  from 
object  language  terms  e  to  representations  LF  terms  t  of  type  exp: 

*  rxn  =  x, 

*  rei  e2n  =  apprein  re2~l,  and 

*  rAx.en  =  lam  Ax.  ren. 

If  we  had  also  defined  substitution  [e/x]e'  on  terms,  it  would  be  necessary  to  show  that  the  bi¬ 
jection  is  compositional:  that  is,  that  [ren/x]re/n  =  r[e/x]e/n.  Note  that  adequacy  critically 
depends  on  the  context  having  the  form  xi:exp. . . .  ,xn:exp.  If  we  had  a  context  with  a  vari¬ 
able  y:(exp  —>  exp),  then  we  could  form  an  LF  term  y  (lam  Ax.x)  with  type  exp  that  does  not 
adequately  encode  any  term  e  in  the  untyped  lambda  calculus. 

One  of  the  reasons  subordination  is  important  in  practice  is  that  it  allows  us  to  consider 
the  adequate  encoding  of  expressions  in  contexts  T  that  have  other  variables  x:r  as  long  as 
(head(r),  exp)  f  1Z.  If  VF,  x:r  t  :  exp  and  r  exp,  then  x  cannot  be  free  in  t,  so 

T  hE;R  t  :  exp  holds  as  well.  By  iterating  this  procedure,  it  may  be  possible  to  strengthen  a 
context  'h  into  one  of  the  form  xi:exp, . . . ,  xn:exp,  in  which  case  we  can  conclude  that  t  =  ren 
for  some  untyped  lambda  calculus  term  e. 


4.2  The  logical  framework  SLS 

In  this  section,  we  will  describe  the  restricted  set  of  polarized  OL3  propositions  and  focused 
OL3  proof  terms  that  make  up  the  logical  framework  SLS.  For  the  remainder  of  the  dissertation, 
we  will  work  exclusively  with  the  following  positive  and  negative  SLS  propositions,  which  are  a 
syntactic  refinement  of  the  positive  and  negative  propositions  of  polarized  OL3: 


A+,B+,C+  :: 

=  P+  1  P+eph  1 

Ppers  1  '1'^ 

£ 

1 

1  |  A+»B+ 

3 a:r.A+  \  t  =T  s 

A~,  B~,  C~  :: 

=  p~  O  A+ 

|  A+  ^  B- 

|  A+  -»  B 

|  A~  &B~  | 

\/a\r.A~ 

We  now  have  to  deal  with  a  point  of  notational  dissonance:  all  existing  work  on  CLF,  all  existing 
implementations  of  CLF,  and  the  prototype  implementation  of  SLS  (Section  4.5)  use  the  notation 
{A+}  for  the  connective  internalizing  the  judgment  A~  lax,  which  we  have  written  as  OA+,  fol¬ 
lowing  Fairtlough  and  Mendler  [FM97].  The  traditional  notation  overloads  curly  braces,  which 


104 


VI;  ©  S  ,Tl  C  satisf ia  ble  -  presumes  hSi 


:,n 


T  ctx,  that  the  terms  in 


'F  hSj7 zt\T  T  C  satisfiable 
VF  l~s,7 e  ■  satisfiable  T  (C,  t  =T  t )  satisfiable 

a:p  G  T  T  hs,7 e  t  :  p  T'  hv^  [£/a]  :  T  'F/  I~e,^  [t/a]C  satisfiable 
VF  (C,  a  =p  t )  satisfiable 


Figure  4.4:  Equality  constraints  (used  to  support  notational  definitions) 


we  also  use  for  the  context-framing  notation  ©{A}  introduced  in  Section  3.2.  We  will  treat  OA+ 
and  {/1+}  as  synonyms  in  SLS,  preferring  the  former  in  this  chapter  and  the  latter  afterwards. 

Positive  ordered  atomic  propositions  p+  are  atomic  classifiers  a  t\ . . .  tn  with  kind  prop  ord, 
positive  linear  and  persistent  atomic  propositions  /A /(  and  p+rs  are  (respectively)  atomic  clas¬ 
sifiers  with  kind  prop  I  in  and  prop  pers,  and  negative  ordered  atomic  propositions  p~  are  atomic 
classifiers  with  kind  prop.  From  this  point  on,  we  will  unambiguously  refer  to  atomic  proposi¬ 
tions  p~  as  negative  atomic  propositions,  omitting  “ordered.”  Similarly,  we  will  refer  to  atomic 
propositions  p+,  p~ph,  and  ppers  collectively  as  positive  atomic  propositions  but  individually  as 
ordered,  linear,  and  persistent  propositions,  respectively,  omitting  “positive.”  (“Mobile”  and 
“ephemeral”  will  continue  to  be  used  as  synonyms  for  “linear”) 


4.2.1  Propositions 

The  formation  judgments  for  SLS  types  are  given  in  Figure  4.5.  As  discussed  in  the  introduction 
to  this  chapter,  the  removal  of  "\'A+  and  pjax  is  fundamental  to  the  separation  of  the  deductive 
and  concurrent  fragments  of  SLS;  most  of  the  other  restrictions  made  to  the  language  are  for  the 
purpose  of  giving  partial  proofs  a  list-like  structure.  In  particular,  all  positive  propositions  whose 
left  rules  have  more  or  less  than  one  premise  are  restricted.  The  propositions  0  and  A+  ©  B+ 
are  excluded  from  SLS  to  this  end,  and  we  must  place  rather  draconian  restrictions  on  the  use  of 
equality  in  order  to  ensure  that  =L  can  always  be  treated  as  having  exactly  one  premise. 

The  formation  rules  for  propositions  are  given  in  Figure  4.5.  Much  of  the  complexity  of  this 
presentation,  such  as  the  existence  of  an  additional  constraint  context  C,  described  in  Figure  4.4, 
is  aimed  at  allowing  the  inclusion  of  equality  in  SLS  in  a  sufficiently  restricted  form.  The  intent 
of  these  restrictions  is  to  ensure  that,  whenever  we  decompose  a  positive  proposition  s  =  t  on 
the  left,  we  have  that  s  is  some  variable  a  in  the  context  and  that  a  is  not  free  in  t.  When  this  is 
the  case,  [t/a]  is  always  a  most  general  unifier  of  s  =  a  and  t,  which  in  turn  means  that  the  left 
rule  for  equality  in  OL3 

V('F/  h  a  :  T).  at  =  as  — )•  T';  a0{-}  h  aU 

^0f t  =TS}\~U  =L 

is  equivalent  to  a  much  simpler  rule: 

T,  [t/a]'F/;  [f/o]0{-}  F  [t/a\U  . 

=yes 
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\l/;  C  hSi7 z  A+  prop+  -  presumes  l~s,^  'P  ctx  and  that  $  h  C  satisfiable. 


a:ft  G  X  ']/,  [ft]  \~Y,,n  sp  :  propord  a:ft  G  X  'h,  [ft]  bv;^  sp  :  proplin 
vIy;  C  hS)7e  a  •  sp  prop+  4';  C  bS)7?.  a  •  sp  prop+ 

a:ft  G  X  'h,  [k]  hS)7^  sp  :  prop  pers 


4b  •  bE)7?.  A  prop 
4bC  bEj7e  prop^ 


4/;C  bEj7?  a  ■  sp  prop-1" 

4b  •  bEj7e  -4“  prop-  4b  •  bEj7£  A- prop- 


^;ChS)7ej^4  prop+  4bCbE)7iL4  prop^ 
4b  C  \~T.,n  A+  prop+  'I';  C  hSj^  5+ prop+ 


4b  C  bEj7e  1  prop- 


4p  C  b s,7e  ^4+  •  5+  prop4" 

4>  l~E,7e  r  type  (t  =  a  or  ^  b y,,tz  t  :  t)  4b  a:r;  C,a=Tt  b T,,n  A+  prop+ 

4b  C  3a:r.bL+  prop-1- 

^bs^ptype  a:p  G  4t  b:p  G  4t  p-finP  t  =p  s  G  C  4>  bEi^  s  :  p 


4b  C  bE)7e  a  =p  6propH 


4b  C  bE)7e  t  =p  spropH 


$;CI-E)Kj4  prop 


-  presumes  bEi7^  4t  ctx  and  that  $  h  C  satisfiable. 


a :ft  G  X  4b  [ft]  bEj7?.  sp  :  prop  4b  ■  bE)7e  A+  :  prop+ 
4b  C  l~s,7e  a  •  sp  prop-  ^]C  oA+ prop- 


4b  C  bEj7e  A+  prop+  4bCbE^JB  prop  4b  C  bSi^  A+  prop-1-  ^;CbSiK5  prop 
4b  C  bEi^  A+  ^  B~  prop-  4>;C  bEj7?.  A+  -»  5"  prop- 

4b  C  bEj7?.  A"  prop-  4b  C  b Ej7e  prop- 

4b  C  bE)7e  A-  &  5-  prop- 

4b  C  bS)7e  rtype  (t  =  a  or  4>  bE/R.  t  :  r)  'h,  a:r;  C,  a  =r  t  bS)7e  A- prop- 

4b  C  bs,72.  Va:r.bL-  prop- 


Figure  4.5:  SLS  propositions 
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Usually,  when  we  require  the  “existence  of  most  general  unifiers,”  that  signals  that  a  most  general 
unifier  must  exist  if  any  unifier  exists.  The  condition  we  are  requiring  is  much  stronger:  for  the 
unification  problems  we  will  encounter  due  to  the  =  l  rule,  a  most  general  unifier  must  exist. 
Allowing  unification  problems  that  could  fail  would  require  us  to  consider  positive  inversion 
rules  with  zero  premises,  and  the  proposition  0  was  excluded  from  SLS  precisely  to  prevent  us 
from  needing  to  deal  with  positive  inversion  rules  with  zero  premises.2 

There  are  two  distinct  conditions  under  which  we  can  be  sure  that  unification  problems  al¬ 
ways  have  a  most  general  solution  -  when  equality  is  performed  over  pure  variables  and  when 
equality  is  used  as  a  notational  definition  [PS99a].  Equality  of  pure  variable  types  is  used  in  the 
destination-adding  transformation  in  Chapter  7,  and  notational  definitions  are  used  extensively 
in  Chapter  8. 

Pure  variables  Equality  at  an  atomic  type  p  that  is  not  subordinate  to  itself  (p  fin  p )  is  always 
allowed.  This  is  reflected  in  the  first  formation  rule  for  t  =  s  in  Figure  4.5. 

Types  that  are  not  self-subordinate  can  only  be  inhabited  by  variables:  that  is,  if  p  fin  p  and 
T  \~z:n  t  :  p,  then  t  =  a  where  a\p  e  Th  For  any  unification  problem  a  =  b,  both  [a/6]  and  [ b/a ] 
are  most  general  unifiers. 

Notational  definitions  Using  equality  as  a  notational  definition  allows  us  manipulate  proposi¬ 
tions  in  ways  that  have  no  effect  on  the  structure  of  synthetic  inference  rules.  When  we  check  a 
universal  quantifier  \/a:p.A~  or  existential  quantifier  3 a:p.A+,  we  are  allowed  to  introduce  one 
term  t  that  will  be  forced,  by  the  use  of  equality,  to  be  unified  with  this  newly-introduced  vari¬ 
able.  By  adding  the  a  =pt  to  the  set  of  constraints  C,  we  allow  ourselves  to  mention  a  =pt  later 
on  in  the  proposition  by  using  the  second  formation  rule  for  equality  in  Figure  4.5. 

The  notational  definition  a  =p  t  must  be  reachable  from  its  associated  quantifier  without 
crossing  a  shift  or  an  exponential  -  in  Andreoli’s  terms,  it  must  be  in  the  same  monopole  (Sec¬ 
tion  2.4).  This  condition,  which  it  might  be  possible  to  relax  at  the  cost  of  further  complexity  else¬ 
where  in  the  presentation,  is  enforced  by  the  formation  rules  for  shifts  and  exponentials,  which 
clear  the  context  C  in  their  premise.  The  proposition  Va.  |(p  a)  ^  a  =  pt  satisfies  this 
condition  but  Va.  0(a  =  t)  does  not  (O  breaks  focus),  and  the  proposition  0(3a.a  =p  t )  satisfies 
this  condition  but  0(3a.j/a  =  t>->pa))  does  not  (|  breaks  focus).  The  rule  0(3  a:p.  a  =p  s  a) 
doesn’t  pass  muster  because  the  term  t  must  be  well-formed  in  a  context  that  does  not  include  a  - 
this  is  related  to  the  occurs  checkin  unification.  The  rule  0(3a.  a  =  t»a  =  s)  is  not  well-formed 
if  t  and  s  are  syntactically  distinct.  Each  variable  can  only  be  notationally  defined  to  be  one  term; 
otherwise  we  could  encode  an  arbitrary  unification  problem  t  =  s. 

4.2.2  Substructural  contexts 

Figure  4.6  describes  the  well-formed  substructural  contexts  in  SFS.  The  judgment  \P  \~n.n  T  left 
is  used  to  check  stable  bindings  x:A~  Ivl  and  z:(pfvl)  Ivl  that  can  appear  as  a  part  of  stable, 
inverting,  or  left-focused  sequents;  the  judgment  T  A  stable  just  maps  this  judgment  over 

2The  other  side  of  this  observation  is  that,  if  we  allow  the  proposition  0  and  adapt  the  logical  framework  accord¬ 
ingly,  it  might  be  possible  to  relax  the  restrictions  we  have  placed  on  equality. 


107 


'b  bs ,TZ  T  left 


-  presumes  bs  ■ 


,n 


'I'  ctx 


\b;  •  b j2,tz  A  prop  a  :  k  G  £  \b,  [k]  bSK  sp  :  propord 

T  bSj7 ^  (A-  Ivl)  left  T  bs,7^  ((a  ■  sp)  ord )  left 

a  :  k  G  £  vb,  [k]  bSi7£  sp  :  prop  lin  a  :  k  G  £  vb,  [ft]  bE  K  sp  :  prop  pers 
vb  bSi^  ((a  •  sp)  eph)  left  'b  bSi^  ((a  •  sp)  pers)  left 


T  A  stable 


presumes  b^ 


'b  ctx 


\b  b > A  stable  \b  b T  left 
\b  bE;R.  ■  stable  T  bS;R.  (A,  x:T)  stable 


T  b Y,,n  A  inv  -presumes  bS  7^  'b  ctx 

vbbs  ^Ainv  'b  bE)7e  T  left  'b  bS  7^  A  inv  \b;  C  bs  ^  A+  propH 


vb  bSi^  ■  inv 


'b  bSi7^  (A,x:T)  inv 


'b  I  (A,;r:A+  ord)  inv 


'b  bs,7e  A  infoc  -  presumes  b -£,,n  vI;  ctx 


'b  b Y,,n  A  infoc  T  b^^  T  left  'b  bs,7^  A  stable  \b;  C  bS)-R.  A  prop 


'b  b y,;jz  (A,  x:T)  infoc 


'b  bS)7j.  (A ,x\[A  }  ord )  infoc 


Figure  4.6:  SLS  contexts 


the  context.  The  judgment  'b  b>-.-R  A  inv  describes  contexts  during  the  inversion  phase,  which 
can  also  contain  inverting  positive  propositions  A+.  The  judgment  'b  'tt./r  A  infoc  describes  a 
context  that  is  stable  aside  from  the  one  negative  proposition  in  focus. 

The  rules  for  inverting  and  focusing  on  propositions  in  Figure  4.6  use  non-empty  constraint 
context.  This  is  necessary  because  the  property  of  being  a  well-formed  proposition  is  not  stable 
under  arbitrary  substitutions.  Even  though  Va:p.  (a  =p  c)  A~  is  a  well-formed  negative 
proposition  according  to  Figure  4.5,  ( a  =v  c)  >— >  /I  is  only  a  well-formed  proposition  if  we  add 
a  =p  c  to  the  set  of  constraints,  and  (c  =p  c)  >— >  [c/a]  A-  is  only  a  well-formed  proposition  if  we 
add  c  =p  c  to  the  set  of  constraints. 

The  restrictions  we  make  to  contexts  justify  our  continued  practice  of  omitting  the  ord  an¬ 
notation  when  talking  about  inverting  positive  propositions  A+  or  focused  negative  propositions 
[A~]  in  the  context,  since  these  context  constituents  only  appear  in  conjunction  with  the  ord 
judgment. 

This  discussion  of  well-formed  propositions  and  contexts  takes  care  of  any  issues  dealing 
with  variables  that  were  swept  under  the  rug  in  Chapter  3.  We  could  stop  here  and  use  the 
refinement  of  OL3  proof  terms  that  corresponds  to  our  refinement  of  propositions  as  the  language 
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of  SLS  proof  terms.  This  is  not  desirable  for  two  main  reasons.  First,  the  proof  terms  of  focused 
OL3  make  it  inconvenient  (though  not  impossible)  to  talk  about  concurrent  equality  (Section  4.3). 
Second,  one  of  our  primary  uses  of  SLS  in  this  dissertation  will  be  to  talk  about  traces ,  which 
correspond  roughly  to  partial  proofs 

'k';  A'  h  31+  lax 
lax 

in  OL3,  where  both  the  top  and  bottom  sequents  are  stable  and  where  A+  is  some  unspecified, 
parametric  positive  proposition.  Using  OL3-derived  proof  terms  makes  it  difficult  to  talk  about 
about  and  manipulate  proofs  of  this  form. 

In  the  remainder  of  this  section,  we  will  present  a  proof  term  assignment  for  SLS  that  facil¬ 
itates  discussing  concurrent  equality  and  partial  proofs.  SLS  proof  terms  are  in  bijective  corre¬ 
spondence  with  a  refinement  of  OL3  proof  terms  when  we  consider  complete  (deductive)  proofs, 
but  the  introduction  of  patterns  and  traces  reconfigures  the  structure  of  derivations  and  proof 
terms. 

4.2.3  Process  states 

A  process  state  is  a  disembodied  left-hand  side  of  a  sequent  that  we  use  to  describe  the  interme¬ 
diate  states  of  concurrent  systems.  Traces,  introduced  in  Section  4.2.6,  are  intended  to  capture 
the  structure  of  partial  proofs: 

\k';  A7  h  A+  lax 
'F;  A  h  A+  lax 

The  type  of  a  trace  will  be  presented  as  a  relation  between  two  process  states.  As  a  first  cut,  we 
can  represent  the  initial  state  as  ( T :  A)  and  the  final  state  as  (T';  A'),  and  we  can  omit  \k  and  just 
write  A  when  that  is  sufficiently  clear. 

Representing  a  process  state  as  merely  an  LF  context  T  and  a  substructural  context  A  is 
insufficient  because  of  the  way  equality  -  pure  variable  equality  in  particular  -  can  unify  distinct 
variables.  Consider  the  following  partial  proof: 

b:p ;  z:(foobb)  eph  F  (foo  6  6)  lax 

a\p,b\p ;  x:0 (a  =T  b)  eph,  z:(foo  a  a)  eph  F  (foo  a  b)  lax 

This  partial  proof  can  be  constructed  in  one  focusing  stage  by  a  left  focus  on  x.  It  is  insufficient  to 
capture  the  first  process  state  as  (a:p,  b:p;  x:0  (a  =T  b ),  z:(fooaa)  eph)  and  the  second  process 
state  as  ( b:p ;  z:(foobb)  eph),  as  this  would  fail  to  capture  that  the  succedent  (foo  b b)  lax  is  a 
substitution  instance  of  the  succedent  (foo  a  b)  lax.  In  general,  if  the  derivation  above  proved 
some  arbitrary  succedent  A+  lax  instead  of  the  specific  succedent  (foo  a  b)  lax,  then  the  missing 
subproof  would  have  the  succedent  [ b/a]A+  lax. 

A  process  state  is  therefore  written  as  (\k;  A)CT  and  is  well-formed  under  the  signature  £  and 
the  subordination  relation  1Z  if  T  A  inv  (which  presumes  that  h 'k  ctx,  as  defined  in 
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Figure  4.3)  and  if  \F  F  a  :  \F0,  where  To  is  some  other  context  that  represents  the  starting  point, 
the  context  in  which  the  disconnected  succedent  A+  lax  is  well-formed. 

T  A  inv  \~T.,n  'Fo  :  ctx  'F  h  a  :  To 
s,7£  (^;  A)ct  state 

Taking  To  =  a:p ,  b:p,  the  partial  proof  above  can  thus  be  represented  as  a  step  (Section  4.2.6) 
between  these  two  process  states: 

{a:p,b:p;  x:0{a=Tb),  z:(fooaa)  eph){a/a  b/b)  {b:p]  z:(foobb)  eph){b/a  b/b) 

Substitutions  are  just  one  of  several  ways  that  we  could  cope  with  free  variables  in  succe- 
dents;  another  option,  discussed  in  Section  4.3,  is  to  track  the  set  of  constraints  a  =  b  that  have 
been  encountered  by  unification.  When  we  consider  traces  in  isolation,  we  will  generally  let 
T0  =  ■  and  a  —  ■,  which  corresponds  to  the  case  where  the  parametric  conclusion  A+  is  a 
closed  proposition.  When  the  substitution  is  not  mentioned,  it  can  therefore  be  presumed  to  be 
empty.  Additionally,  when  the  LF  context  T  is  empty  or  clear  from  the  context,  we  will  omit  it 
as  well.  One  further  simplification  is  that  we  will  occasionally  omit  the  judgment  Ivl  associated 
with  a  suspended  positive  atomic  proposition  (pfvl)  Ivl,  but  only  when  it  is  unambiguous  from  the 
current  signature  that  p fvl  is  an  ordered,  linear,  or  persistent  positive  atomic  proposition.  In  the 
examples  above,  we  tacitly  assumed  that  foo  was  given  kind  p  — »  p  — >  prop  lin  in  the  signature  £ 
when  we  tagged  the  suspended  atomic  propositions  with  the  judgment  eph.  If  it  had  been  clear 
that  foo  was  linear,  then  this  judgment  could  have  been  omitted. 

4.2.4  Patterns 

A  pattern  is  a  syntactic  entity  that  captures  the  list-like  structure  of  left  inversion  on  positive 
propositions.  The  OL3  proof  term  for  the  proposition  (3a.  pa»\A~  •  IB~)  C~,  is  somewhat 
inscrutable:  A <a.»»(x).\y.lz.N.  The  SLS  proof  of  this  proposition,  which  uses  patterns,  is 
(Aa,  x ,  y.  z.  N ).  The  pattern  P  =  a,x,y,z  captures  the  structure  of  left  inversion  on  the  positive 
proposition  3a.  p  a  •  j  A~  •  j,!?-. 

The  grammar  of  patterns  is  straightforward.  Inversion  on  positive  propositions  can  only  have 
the  effect  of  introducing  new  bindings  (either  LF  variables  a  or  SLS  variables  x)  or  handling  a 
unification  a  =p  t,  which  by  our  discussion  above  can  always  be  resolved  by  the  most  general 
unifier  [ t/a\ ,  so  the  pattern  associated  with  a  proposition  a  =p  t  is  t/a. 

P  ::=  ()  |  x,  P  |  a,P  \  t/a,P 

For  sequences  with  one  or  more  elements,  we  omit  the  trailing  comma  and  (),  writing  x, ...  ,z 
instead  of  x, . . . ,  z,  (). 

SLS  patterns  have  a  list-like  structure  (the  comma  is  right  associative)  because  they  capture 
the  sequential  structure  of  proofs.  The  associated  decomposition  judgment  P  ::  (T;  A)CT  =>y..k 
(T';  A%/  takes  two  process  states.  It  operates  a  bit  like  the  spine  typing  judgment  from  Fig¬ 
ure  4.3  in  that  the  process  state  (T;  A)a  (and  the  pattern  P )  are  treated  as  an  input  and  the 
process  state  (T7;  A7)^  is  treated  as  an  output.  The  typing  rules  for  SLS  patterns  are  given  in 
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P  ■■■■  (^;  A)ct  =^y,,ti  A%/  -  presumes  hs,rc  (\P;  A)CT  state 

T  h Y.,n  A  stable 


()  ::  ('k;  A)CT  =^£,7 z  (^;  A)c 


0 


P  ::  (*;0{z:<p+}M})e 


A'V  ,  P  ::  (T;  0{x:A- ord})c 


z,n  A 


z,p-  (*;0fp£J)*  = 

P  ::  (T;  @{x:A  eph})c 


z,n  A 7)c 


z,P::(V;eUA-})e 


X,  P 

:(<!/;  0fp4-B, 

=^£,7£  A %/ 

p 

:(*;©{■})*  => 

e,k  ('k/;  A7)^ 

P  : 

(*;0{{i}).= 

>E,n  ('k';  A7 jo-/ 

e,k  A')ct/  P::(V;0{x:A  pers }) 

I L 


>y,,ti  ('k/;  A 7)c 
=^s,7 z  ('k/;  A') 


ll 


X,  P  ::  (* ;  ©{W  =^Si7*  (tf7;  A')^  L 

^S,7t  ('I'7;  A')  or/ 


P  (^;©{A+,  B+})c 


P  ::  (*;0|>4+.  £?+}), 
P  ::  (*,  a:r;  ©{A+}),  =^s>7*  (^7;  A%/ 
a,  P  ::  (tt;  0{3a:T.A+}})ff  =^E;R.  (T7;  A%, 

P  ::  (g,  [*/a]^;  [t/a]0{-})[t/o]g  =^S,7t  A7)ff, 

t/a,  P  ::  (T,  a:r,  'k7;  0j{a  =T  tj)*  =^s,7t  (’k'i  A')e 

Figure  4.7:  SLS  patterns 


>E,TZ 


(4/';A7) 


— L 


Figure  4.7.  We  preserve  the  side  conditions  from  the  previous  chapter:  when  we  frame  off  a 
inverting  positive  proposition  in  the  process  state,  it  is  required  to  be  the  left-most  one.  As  in 
focused  OL3,  this  justifies  our  omission  of  the  variables  associated  with  positive  propositions: 
the  positive  proposition  we  frame  off  is  always  uniquely  identified  not  by  its  associated  variable 
but  by  its  position  in  the  context. 

Note  that  there  no  longer  appears  to  be  a  one-to-one  correspondence  between  proof  terms 
and  rules:  \.L,  \L,  and  \L  appear  to  have  the  same  proof  term,  and  1L  and  »L  appear  to  have 
no  proof  term  at  all.  To  view  patterns  as  being  intrinsically  typed  -  that  is,  to  view  them  as 
actual  representatives  of  (incomplete)  derivations  -  we  must  think  of  patterns  as  carrying  extra 
annotations  that  allow  them  to  continue  matching  the  structure  of  proof  rules. 


4.2.5  Values,  terms,  and  spines 

Notably  missing  from  the  SLS  types  are  the  upshifts  \ A+  and  right-permeable  negative  atomic 
propositions  pjax.  The  removal  of  these  two  propositions  effectively  means  that  the  succedent 
of  a  stable  SLS  sequent  can  only  be  (p~)  true  or  A+  lax.  The  SLS  framework  only  considers 
complete  proofs  of  judgments  ( p~ )  true ,  whereas  traces,  associated  with  proofs  of  A+  lax  and 
introduced  below  in  Section  4.2.6,  are  a  proof  term  assignment  for  partial  proofs.  Excepting 
the  proof  term  {let Tin  V},  which  we  present  as  part  of  the  concurrent  fragment  of  SLS  in 
Section  4.2.6  below,  the  values,  terms,  and  spines  that  stand  for  complete  proofs  will  be  referred 
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'I';  A  \~Y,,n  V  :  [ A+ ]  -presumes  'P  \--e,k  A  stable,  and  'P;  C  A+  prop^ 

A  matches  z:  (A+) 


'P;  A  F Y,,n  N  :  A 


XT  ll 


'P;  A  F v,n  z  ■  [A+] 
VP;  A  F e.k  A  :  A~ 


id+ 


+r  <P;  Af,,*  hE,K  ]JV  :  []X]  'k  *;  Afrm  hE,K  !JV  :  [!X] 


VP;  A  F y,;r  A  :  A 


A  matches  ■  .  ^  Ai  Pi  :  [^]  'P;  A2  ^s,7t  P2  :  [^2  ]  . 

1_r  7  7  :  ;  77  77  rrz  7X7  9R 


'P;  A  F s,7 z  ()  :  [1] 


bP;  Ai,  A2  F s,7t  Pi  •  P2  :  [Ai  •  Aj  ] 


'P;  A  h s,7e  t :  t  ’P;  A  F e,7?.  V  '■  | [t/ a]A+] 
*■  A  hS)7e  t,  A  :  [3a:r.A+] 


3/? 


A  matches  ■ 


'P;  A  hS)7?  REFL  :t=Tt 


-R 


Figure  4.8:  SLS  values 


'P;  A  \~Y.,n  R  :  U  -presumes  VP  hSi^  A  stable  and  U  =  (C  )  ord 

y-e{[A-]}hx,nSp:U  £  _  r  :  A"  G  E  \P;  ©{[A-]}  FS)7e  Sp  :  U 


^■Q{{x:A-}^x-Sp:U 


focus1 


rule 


Figure  4.9:  SLS  atomic  terms 


'P;  A  \~T.,n  N  :  A  ord  -  presumes  'P  \~E,n  A  stable  and  'P;  C  \~E,n  A  prop 

'P;AhSi7 zR:(p~)ord 
\P;  A  hSj7 j  i?  :  p~  ord  ^ 

P"(V;  A+,  A)id*  ^s,77  (*';  A%  A'  hSj7e  A  :  oB~  ord 
'P;  A  hS)7e  A P.N  :A+^B~  ord 
P  ■■■  (*;  A,  A+)id*  =^s,^  (*';  A%  A'  F^  A  :  crS"  ord 


4/;  A  l~s,7e  XP.N  :  A+  —»  B  ord 

\P;  A  \~Y.,n  Ni  ■  A F  ord  \P;  A  Fj^  A2  :  A^  ord 
VP;  A  \~y,,r  Ni  &  N2  :  A^  &  A%  ord 
'P,  a:r;  A  FE;K  A  :  A~  ord 

V; 


-».R 


&R 


'P;  A  FSitj  Aa.A  :  Va:r.A  ord  R 
T  ::  (^;  A)id,  (^;  A%/  tt';  A7  Fs,k  V-  :  [cA+] 
'P;  A  \~T.,n  {let  T  in  V}  :  OA+  ord 


Or 


Figure  4.10:  SLS  terms 
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T;  A  \~T.,n  Sp  :  U  -presumes  'F  F e,r  A  infoc 

A  matches  [A~ 


id~ 


'I';  A  hs,7 z  NIL  :  ( A  )  ord 

A  Fs,r  V  :  [A+]  ©{[£"] }  hE,*  Sp  :  f/ 

* ;  0{{A,  [A+  ~  B-}}}  hs,^  V-Sp-.U 

A  Fs,r  y  :  [A+]  e{[B~}}  Fs,r  Sp  :  U 

©^[A+  -»  £"],  A}}  Fs,r  IA  Sp  :  U 


^■,Q{[A^]}^Sp:U 


\F;  0 


&L1 


^;Q{[Af]}hE^Sp:U 


1  &  A2  ]}}  ^z,Ti  7Ti;  Sp  :  f/  '5;  0^[A1  &  A2  ]}}  hSj7Z  7t2 ;  Sp  :  £7 

[t/a]S-  =  S'-  ©{[£'"]}  hEi*  Spit/ 


&L2 


*;0{lVa:T.B-}}hE!Kt;Sp:U 


V  J 


Figure  4.11:  SLS  spines 


to  as  the  deductive  fragment  of  SLS. 


SLS  values  (Figure  4.8) 

V 

:=  0  |  N  |  \N  |  IN 

01 

Vt'V2 

\t,V\  REFL 

SLS  atomic  terms  (Figure  4.9) 

R 

x  ■  Sp  |  r  •  Sp 

SLS  terms  (Figure  4.10) 

N 

:=  R  |  A  P.N  |  Ai  &N2 

|  A a.N 

{let  Tiny} 

SLS  spines  (Figure  4.11) 

Sp 

:=  NIL  \  V;  Sp  \  np, 

Sp  | 

v2;  Sp 

t;  Sp 

In  contrast  to  OL3,  we  distinguish  the  syntactic  category  R  of  atomic  terms  that  correspond  to 
stable  sequents.  As  with  patterns,  we  appear  to  conflate  the  proof  terms  associated  with  different 
proof  rules  -  we  have  a  single  A P.N  constructor  and  a  single  V;  Sp  spine  rather  than  one  term 
A >N  and  spine  V> Sp  associated  with  propositions  A+  -»  B~  and  another  term  A KN  and  spine 
V<Sp  associated  with  propositions  A+  >— >  B~ .  As  with  patterns,  it  is  possible  to  think  of 
these  terms  as  just  having  extra  annotations  (A>  or  A<)  that  we  have  omitted.  Without  these 
annotations,  proof  terms  carry  less  information  than  derivations,  and  the  rules  for  values,  terms, 
and  spines  in  Figures  4.8^1. 1 1  must  be  seen  as  typing  rules.  With  these  extra  implicit  annotations 
(or,  possibly,  with  some  of  the  technology  of  bidirectional  typechecking),  values,  terms,  and 
spines  can  continue  to  be  seen  as  representatives  of  derivations. 

Aside  from  Or  and  its  associated  term  (letT  in  V},  which  belongs  to  the  concurrent  frag¬ 
ment  of  SLS,  there  is  one  rule  in  Figures  4.8-4. 1 1  that  does  not  have  an  exact  analogues  as  a  rule 
in  OL3,  the  rule  labeled  rule  in  Figure  4.9.  This  rule  corresponds  to  an  atomic  term  r  ■  Sp  and 
accounts  for  the  fact  that  there  is  an  additional  source  of  persistent  facts  in  SLS,  the  signature  £, 
that  is  not  present  in  OL3.  To  preserve  the  bijective  correspondence  between  OL3  and  SLS  proof 
terms,  we  need  to  place  every  rule  r  :  A-  in  the  SLS  signature  £  into  the  corresponding  OL3  con¬ 
text  as  a  persistent  proposition. 

As  with  LF  terms,  we  will  use  a  shorthand  for  atomic  terms  x  ■  Sp  and  r  ■  Sp,  writing 
(foots  W)  instead  of  foo  •  (f;  s;  V;  V';  nil)  when  we  are  not  concerned  with  the  fact  that 
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S  ::  ('&;  A)o- ('I'';  A%/  -  presumes  \~T.,n  (\F;  A)^  state  and  \F  hS)7?.  A  stable 


*5  A  hSj7e  R  :  (05+)  ord  P  ::  (*,  0{P+})ff  (*';  A%, 

{P}  <-  R  ::  (*;  ©{{A}}),  (*';  A%/ 


Figure  4.12:  SLS  steps 


T  ::  (\F;  A)CT  (\F';  A')CT/  -  presumes  hSi7?.  ('F;  A)^  state  and 'F  hSi7?.  A  stable 


Figure  4.13:  SLS  traces 


atomic  terms  consist  of  a  variable  and  a  spine. 

4.2.6  Steps  and  traces 

The  deductive  fragment  of  SLS  presented  in  Figures  4.7-4.11  covers  every  SLS  proposition 
except  for  the  lax  modality  O  A+.  It  is  in  the  context  of  the  lax  modality  that  we  will  present 
proof  terms  corresponding  to  partial  proofs;  we  call  this  fragment  the  concurrent  fragment  of 
SLS  because  of  its  relationship  with  concurrent  equality,  described  in  Section  4.3. 


S  ::=  {P}  <-  R 
T  ::=o  |  Ti;T2  |  S 


Steps 

Traces 


A  step  S  =  {P}  x  •  Sp  corresponds  precisely  to  the  notion  of  a  synthetic  inference  rule  as 
discussed  in  Section  2.4.  A  step  in  SLS  corresponds  to  a  use  of  left  focus,  a  use  of  the  left  rule 
for  the  lax  modality,  and  a  use  of  the  admissible  focal  substitution  lemma  in  0L3: 


\F';  A'  F  o'A+  lax 


'FjQ'jaxA  true}  F  (OP+)  ord  ^  L  \F;  0{[OP+]}  F  crA+  lax 


'F;  ©{{©'{a;:/!  ord}}}  F  oA+  lax 


The  spine  Sp  corresponds  to  the  complete  proof  of  'F;  ©'{[A-]}  h  (O B+)  ord,  and  the  pattern 
P  corresponds  to  the  partial  proof  from  \F';  A'  h  o' A+  lax  to  \F;  ©{P+}  h  oA+  lax.  The  typing 
rules  for  steps  are  given  in  Figure  4.12.  Because  we  understand  these  synthetic  inference  rules  as 
relations  between  process  states,  we  call  (\F;  A)  (+F+  A')  a  synthetic  transition.  Traces  T 
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are  monoids  over  steps  -  o  is  an  empty  trace,  S'  is  a  trace  consisting  of  a  single  step,  and  Tj;  T2  is 
the  sequential  composition  of  traces.  The  typing  rules  for  traces  in  Figure  4.13  straightforwardly 
reflect  this  monoid  structure.  Both  of  the  judgments  S  ::  (\F;  A)ff  ('F7;  A7)^  and  T  :: 

(\F;  A)o-  (\F7;  A')a>  work  like  the  rules  for  patterns,  in  that  the  step  S  or  trace  T  is  treated 

as  an  input  along  with  the  initial  process  state  ( VF :  A)CT,  whereas  the  final  process  state  (\F7;  A')^ 
is  treated  as  an  output. 

Steps  incorporate  left  focus  and  the  left  rule  for  O,  and  let-expressions  {let  T  in  V},  which 
include  traces  in  deductive  terms,  incorporate  right  focus  and  the  right  rule  for  the  lax  modality 
in  OL3: 

'F7;  A'  h  WA+]  r 
A-  h  a' A*  fa  ^ 

T;  A  h  A+  lax  ^ 

T;  A  h  OA+  °R 

The  trace  T  represents  the  entirety  of  the  partial  proof  from  <F;A  h  A+  lax  to  'F7;  A7  h  o'  A+  lax 
that  proceeds  by  repeated  use  of  steps  or  synthetic  transitions,  and  the  eventual  conclusion  V 
represents  the  complete  proof  of  'F7;  A7  h  [o'  A~]  lax  that  follows  the  series  of  synthetic  transi¬ 
tions. 

Both  of  the  endpoints  of  a  trace  are  stable  sequents,  but  it  will  occasionally  be  useful  to  talk 
about  steps  and  traces  that  start  from  unstable  sequents  and  immediately  decompose  positive 
propositions.  We  will  use  the  usual  trace  notation  ('F;  A)ff  R  f'F7:  A %/  to  describe  the  type 
of  these  partial  proofs.  The  proof  term  associated  with  this  type  will  be  written  as  A P.T,  where 

P  ::  (*;  A)ff  =^e,t*  (tt77;  A7%»  and  T  v.  (T77;  A7>  ^,n  (*';  A%'- 


4.2.7  Presenting  traces 


To  present  traces  in  a  readable  way,  we  will  use  a  notation  that  interleaves  process  states  among 
the  steps  of  a  trace,  a  common  practice  in  Hoare-style  reasoning  [Hoa71].  As  an  example,  recall 
the  series  of  transitions  that  our  money-store-battery -robot  system  took  in  Section  2.3.9: 


$6(1) 


battery  (1) 


robot  (1) 


battery -less  robot  (1)  battery-less  robot  (1) 

turn  $6  into  a  battery  turn  $6  into  a  battery 

( all  you  want)  ( all  you  want) 


turn  $6  into  a  battery 
( all  you  want) 


This  evolution  can  now  be  precisely  captured  as  a  trace  in  SLS: 


(x:(6bucks)  eph,  f: (battery  >— >  Orobot)  eph,  g: (6bucks  Obattery)  pers) 

{y}  <-  gx\ 

(y:(battery)  eph,  /:( battery  Orobot)  eph,  g:(6bucks  >— »  Obattery)  pers) 

{-}  <-  fy 

(z:(robot)  eph,  g:(6bucks  >— >  Obattery)  pers ) 
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4.2.8  Frame  properties 

Th e  frame  rule  is  a  concept  from  separation  logic  [Rey02].  It  states  that  if  a  property  holds  of 
some  program,  then  the  property  holds  under  any  extension  of  the  mutable  state.  The  frame  rule 
increases  the  modularity  of  separation  logic  proofs,  because  two  program  fragments  that  reason 
about  different  parts  of  the  state  can  be  reasoned  about  independently. 

Similar  frame  properties  hold  for  SLS  traces.  The  direct  analogue  of  the  frame  rule  is  the 
observation  that  a  trace  can  always  have  some  extra  state  framed  on  to  the  outside.  This  is  a 
generalization  of  weakening  to  SLS  traces. 

Theorem  4.2  (Frame  weakening). 

IfT  ::  (T;  A)  (*';  A'),  then  T  ::  (tt,  vR";  0{A})  ^  (*',  T";  0{A}). 

Proof.  Induction  on  T  and  case  analysis  on  the  first  steps  of  T,  using  admissible  weakening  and 
the  properties  of  matching  constructs  at  each  step.  tj 

The  frame  rule  is  a  weakening  property  which  ensures  that  new,  irrelevant  state  can  always  be 
added  to  a  state.  Conversely,  any  state  that  is  never  accessed  or  modified  by  a  trace  can  be  always 
be  removed  without  making  the  trace  ill-typed.  This  property  is  a  generalization  of  strengthening 
to  SLS  traces. 

Theorem  4.3  (Frame  strengthening). 

IfT  ::  (\&;  Q{x\Y  Ivl})  n  (fU;  Q'{x:Y  Ivl})  and  x  is  not  free  in  any  of  the  steps  ofT,  then 

T::(^;0{-})^(^;  ©{•}). 

Proof.  Induction  on  T  and  case  analysis  on  the  first  steps  of  T,  using  a  lemma  to  enforce  that, 
if  x  is  not  free  in  an  individual  step,  it  is  either  not  present  in  the  context  of  the  subderivation  (if 
Ivl  =  ord  or  eph)  or  else  it  can  be  strengthened  away  (if  Ivl  =  pers ).  □ 


4.3  Concurrent  equality 


Concurrent  equality  is  a  notion  of  equivalence  on  traces  that  is  coarser  than  the  equivalence 
relation  we  would  derive  from  partial  OL3  proofs.  Consider  the  following  SLS  signature: 

E  =  •,  a  :  proplin,  b  :  proplin,  c  :  proplin,  d  :  proplin,  e  :  proplin,  f  :  proplin, 
first  :  a  >— ►  0(b  •  c), 
left  :  b  w  od, 
right  :  c  >— >  Oe, 
last  :  d  •  e  ^  Of 


Under  the  signature  E,  we  can  create  two  traces  with  the  type  xa:(a)  K  xf(  f): 


T\ 


{xb,xc}  P-  first xa] 
{x4  i-  left  xb] 

{xe}  P-  right  £c; 

{xf}  P-  last  (xd  •  xe) 


T2 


versus 


{xb,xc}  P-  first xa] 
{xe}  <-  right xc] 

{xd}  4r-  left  xb ; 

{xf}  P-  last  (xd  •  xe) 
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In  both  cases,  there  is  an  xa:  (a)  resource  that  transitions  to  a  resource  xp.{ b)  and  another  resource 
xc:(c),  and  then  £&:(b)  transitions  to  Xrf:(d)  while,  independently,  xc:(c)  transitions  to  ^(d). 
Then,  finally,  the  x(j.(d)  and  xe:(e)  combine  to  transition  to  xf{  f),  which  completes  the  trace. 

The  independence  here  is  key:  if  two  steps  consume  different  resources,  then  we  want  to  treat 
them  as  independent  concurrent  steps  that  could  have  equivalently  happened  in  the  other  order. 
However,  if  we  define  equivalence  only  in  terms  of  the  a -equivalence  of  partial  OL3  derivations, 
the  two  traces  above  are  distinct.  In  this  section,  we  introduce  a  coarser  equivalence  relation, 
concurrent  equality ,  that  allows  us  to  treat  traces  that  differ  only  in  the  interleaving  of  indepen¬ 
dent  and  concurrent  steps  as  being  equal.  The  previous  section  considered  the  proof  terms  of 
SLS  as  a  fragment  of  OL3  that  is  better  able  to  talk  about  partial  proofs.  The  introduction  of  con¬ 
current  equality  takes  a  step  beyond  OL3,  because  it  breaks  the  bijective  correspondence  between 
OL3  proofs  and  SLS  proofs.  As  the  example  above  indicates,  there  are  simply  more  OL3  proofs 
than  SLS  proofs  when  we  quotient  the  latter  modulo  concurrent  equality  and  declare  and  T2 
to  be  (concurrently)  equal. 

Concurrent  equality  was  first  was  introduced  and  explored  in  the  context  of  CLF  [WCPW02], 
but  our  presentation  follows  the  reformulation  in  [CPS + 12],  which  defines  concurrent  equiva¬ 
lence  based  on  an  analysis  of  the  variables  that  are  used  (inputs)  and  introduced  (outputs)  by  a 
given  step.  Specifically,  our  strategy  will  be  to  take  a  particular  well-typed  trace  T  and  define  a 
set  I  of  pairs  of  states  (Si,  S2)  with  the  property  that,  if  Sj :  S2  is  a  well-typed  trace,  then  ,S'2:  Sj 
is  a  concurrently  equivalent  and  well-typed  trace.  This  independency  relation  allows  us  to  treat 
the  trace  T  as  a  trace  monoid.  Concurrent  equality,  in  turn,  is  just  a -equality  of  SLS  proof  terms 
combined  with  treating  {let Tin  V}  and  {letT'  in  V}  as  equivalent  if  T  and  V  are  equivalent 
according  to  the  equivalence  relation  imposed  by  treating  T  and  V  as  trace  monoids. 

This  formulation  of  concurrent  equality  facilitates  applying  the  rich  theory  developed  around 
trace  monoids  to  SLS  traces.  For  example,  it  is  decidable  whether  two  traces  T  and  V  are 
equivalent  as  trace  monoids,  and  there  are  algorithms  for  determining  whether  T'  is  a  subtrace  of 
T  (that  is,  whether  there  exist  Tpre  and  Tpost  such  that  T  is  equivalent  Tpre ;  T';  Tpost)  [Die90].  A 
different  sort  of  matching  problem,  in  which  we  are  given  T,  Tpre,  and  Tpost  and  must  determine 
whether  there  exists  a  V  such  that  T  is  equivalent  Tpre :  T'\  Tposi,  was  considered  in  [CPS+12]. 

Unfortunately,  the  presence  of  equality  in  SLS  complicates  our  treatment  of  independency. 
The  interface  of  a  step  is  used  to  define  independency  on  steps  S  =  ( { P}  <—  R).  Two  com¬ 
ponents  of  the  interface,  the  input  variables  *S  and  the  output  variables  S'  are  standard  in  the 
literature  on  Petri  nets  -  see,  for  example,  [Mur89,  p.  553].  The  third  component,  unified  vari¬ 
ables  ®S,  is  unique  to  our  presentation. 

Definition  4.4  (Interface  of  a  step). 

*  The  input  variables  of  a  step,  denoted  *S,  are  all  the  LF  variables  a  and  SLS  variables  x 
free  in  the  normal  term  R. 

*  The  output  variables  of  a  step  S  =  ( { P  )  <—  R),  denoted  by  S',  are  all  the  LF  variables 
a  and  SLS  variables  x  bound  by  the  pattern  P  that  are  not  subsequently  consumed  by  a 
substitution  t/ain  the  same  pattern. 

*  The  unified  variables  of  a  step,  denoted  by  ®S,  are  the  free  variables  of  a  step  that  are 
modified  by  unification.  Ift/a  appears  in  a  pattern  and  a  is  free  in  the  pattern,  then  t  =  b 
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for  some  other  variable  b;  both  a  and  b  (if  the  latter  is  free  in  the  pattern)  are  included  in 
the  step ’s  unified  variables. 

Consider  a  well-typed  trace  Sp  S2  with  two  steps.  It  is  possible,  by  renaming  variables  bound 
in  patterns,  to  ensure  that  0  =  *Si  fl  ,S'/  =  *  .S' ,  D  S'/  =  *S2  fl  S2*.  We  will  generally  assume 
that,  in  the  traces  we  consider,  the  variables  introduced  in  each  step’s  pattern  are  renamed  to  be 
distinct  from  the  input  or  output  variables  of  all  previous  steps. 

If  Si ;  S'2  is  a  well-typed  trace,  then  the  order  of  Si  and  S2  is  fixed  if  S']  introduces  variables 
that  are  used  by  S2  -  that  is,  if  0  /  S'/  fl  *S2.  For  example,  if  Si  =  ({x6,  xc}  E-  first  xa)  and 
S'2  =  ( {xd}  4—  left  xf),  then  {x/  =  S/  fl  *S2,  and  the  two  steps  cannot  be  reordered  relative 
to  one  another.  Conversely,  the  condition  that  0  =  S'/  fl  *S2  is  sufficient  to  allow  reordering  in 
a  CLF-like  framework  [CPS+12],  and  is  also  sufficient  to  allow  reordering  in  SLS  when  neither 
step  contains  unified  variables  (that  is,  when  0  =  ®S'1  =  ®S2).  The  unification  driven  by  equality, 
however,  can  have  subtle  effects.  Consider  the  following  two-step  trace: 

( a:p,b:p ;  x:(0 (b  =p  a))  eph,  y:(foob  >— ►  O(bara))  eph,  z:(foo a)  eph) 

{b/a}  E-  x ; 

(■ b:p ;  y:(foob  >— >  0(bar6))  eph,  z:(foob)  eph) 

{w}  4-  yz 

( b:p ;  wfibarb)  eph) 

This  trace  cannot  be  reordered  even  though  0  =  0  fl  {y,  z}  =  ({b/a}  x)*  fl  *({w}  yz), 

because  the  atomic  term  y  z  is  only  well  typed  after  the  LF  variables  a  and  b  are  unified.  It  is 
not  even  sufficient  to  compare  the  free  and  unified  variables  (requiring  that  0  =  ®S'1  fl  *S2),  as 
in  the  example  above  x)  =  {a,b}  and  *({w}  y  z)  =  {y,z}  -  and  obviously 

0  =  {a,  b}  fl  {y,z}. 

The  simplest  solution  is  to  forbid  steps  with  unified  variables  from  being  reordered  at  all: 
we  can  say  that  (Si,  S2)  El  if  0  =  S/  fl  *S2  =  ®S\  =  ®S2.  It  is  unlikely  that  this  condition 
is  satisfying  in  general,  but  it  is  sufficient  for  all  the  examples  in  this  dissertation.  Therefore, 
we  will  define  concurrent  equality  on  the  basis  of  this  simple  solution.  Nevertheless,  three  other 
possibilities  are  worth  considering;  all  three  are  equivalent  to  this  simple  solution  as  far  as  the 
examples  given  here  are  concerned. 


Restricting  open  propositions  Part  of  the  problem  with  the  example  above  was  that  there 
were  variables  free  in  the  type  of  a  transition  that  were  not  free  in  the  term.  A  solution  is  to 
restrict  propositions  so  that  negative  propositions  in  the  context  are  always  closed  relative  to 
the  LF  context  (or  at  least  relative  to  the  part  of  the  LF  context  that  mentions  types  subject  to 
pure  variable  equality,  which  would  be  simple  enough  to  determine  with  a  subordination-based 
analysis).  This  restriction  means  that  a  step  S  =  { P\  E-  R  can  only  have  the  parameter  a 
free  in  R’s  type  if  a  is  free  in  R,  allowing  us  to  declare  that  ,Sj  and  S2  are  reorderable  -  meaning 
(Si,  S2)  and  (S2,  Si)  are  in  the  independency  relation  /  -  whenever  0  =  ,S/n\S'2  =  £Sj  n\S'2  = 
9 Si  (1®S2. 
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While  this  restriction  would  be  sufficient  for  the  examples  in  this  dissertation,  it  would  pre¬ 
clude  a  conjectured  extension  of  the  destination-adding  transformation  given  in  Chapter  7  to 
nested  specifications  (nested  versus  flat  specifications  are  discussed  in  Section  5.1). 

Re-typing  Another  alternative  would  be  to  follow  CLF  and  allow  any  reordering  permitted  by 
the  input  and  output  interfaces,  but  then  forbid  those  that  cannot  be  re-typed.  (This  was  necessary 
in  CLF  to  deal  with  the  presence  of  T.)  This  is  very  undesirable,  however,  because  it  leads  to 
strange  asymmetries.  The  following  trace  would  be  reorderable  by  this  definition,  for  example, 
but  in  a  symmetric  case  where  the  equality  was  b  =p  a  instead  of  a  =p  b,  that  would  no  longer 
be  the  case. 

(a:p,  b:p;  x:(0(a  =p  b))  eph,  y:(\/w.  foow  >— >  0(barw;))  eph,  z: (foo b)  eph) 
W  4-  ybz ; 

( a:p,b:p ;  x:(o(a  =p  b))  eph,  w: (bar  a)  eph) 

{. b/a }  4—  x 

(. b:p ;  u;:(bar  b)  eph) 

Process  states  with  equality  constraints  A  third  possible  solution  is  be  to  change  the  way  we 
handle  the  interaction  of  process  states  and  unification.  In  this  formulation  of  SLS,  the  process 
state  (\P;  A)ff  uses  a  to  capture  the  constraints  that  have  been  introduced  by  equality.  As  an 
alternative,  we  could  have  process  states  mention  an  explicit  constraint  store  of  equality  propo¬ 
sitions  that  have  been  encountered,  as  in  Jagadeesan  et  al.’s  formulation  of  concurrent  constraint 
programming  [JNS05].  Process  states  with  equality  constraints  might  facilitate  talking  explic¬ 
itly  about  the  interaction  of  equality  and  typing,  which  in  our  current  formulation  is  left  rather 
implicit. 


4.3.1  Multifocusing 

Concurrent  equality  is  related  to  the  equivalence  relation  induced  by  multifocusing  [CMS09]. 
Like  concurrent  equality,  multifocusing  imposes  a  coarser  equivalence  relation  on  focused  proofs. 
The  coarser  equivalence  relation  is  enabled  by  a  somewhat  different  mechanism:  we  are  allowed 
to  begin  focus  on  multiple  propositions  simultaneously. 

Both  multifocusing  and  concurrent  equality  seek  to  address  the  sequential  structure  of  fo¬ 
cused  proofs.  The  sequential  structure  of  a  computation  needs  to  be  addressed  somehow,  because 
it  obscures  the  fact  that  the  interaction  between  resources  in  a  focused  proof  has  the  structure  of  a 
directed  acyclic  graph  (DAG),  not  a  sequence.  We  sketch  a  radically  different,  vaguely  Feynman- 
diagram-inspired,  way  of  presenting  traces  in  Figure  4.14.  Resources  are  the  edges  in  the  DAG 
and  steps  or  synthetic  inference  rules  are  the  vertexes.  (The  crossed  edges  that  exchange  X2 
and  X3  are  only  well-formed  because,  in  our  example  trace,  e  and  d  were  both  declared  to  be 
ephemeral  propositions.)  Multifocusing  gives  a  unique  normal  form  to  proofs  by  gathering  all 
the  focusing  steps  that  can  be  rotated  all  the  way  to  the  beginning,  then  all  the  focusing  steps 
that  can  happen  as  soon  as  those  first  steps  have  been  rotated  all  the  way  to  the  beginning,  etc. 
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vi:(bK 

x  {xi}  <-  left  ^ ^ 

Xi-(d) 

U  i:(a) 

- >  {v\,w\}  <—  first ui 

{zi}  «-  last  (x\  •  j/i) 

- » 

Wi:(c)X 

N  {2/1}  <-  right  w\  ■ 

V-z'ib). 

X  {x2}  <-  left  v2  \ 

u2'.(a) 

- »  {v2 ,W2}  <-  first  u2 

V2- (e) 

\  y  {z2}  <-  last  (a;3  •  y2) 

Mf> 

w2:(cy 

N  {2/2}  right  w2  ' 

V/x3:(d) 

vs-{b) 

X  {13}  left  v3  / 

\  x2:(d) 

u3:(  a) 

- >  {^3,^3}  first  u3 

{z3}  «-  last  (x2  •  y3) 

^3:(f) 

w3:(cy 

N  {'2/3}  right  W3  - 

^ys-(e) 

Figure  4.14:  Interaction  diagram  for  a  trace  («i:(a),  w2:(a),  w3:(a))  (zi:(f),  z2:(f),  03:(f)) 

In  SLS,  by  contrast,  we  are  content  to  represent  the  DAG  structure  as  a  list  combined  with  the 
equivalence  relation  given  by  concurrent  equality. 

Multifocusing  has  only  been  explored  carefully  in  the  context  of  classical  linear  logic.  We 
conjecture  that  derivations  in  OL3  with  a  suitably-defined  notion  of  multifocusing  would  be  in 
bijective  correspondence  with  SLS  terms  modulo  concurrent  equivalence,  at  least  if  we  omit 
equality.  Of  course,  without  a  formal  notion  of  multifocusing  for  intuitionistic  logic,  this  con¬ 
jecture  is  impossible  to  state  explicitly.  The  analogy  with  multifocusing  may  be  able  shed  light 
on  our  difficulties  in  integrating  concurrent  equality  and  unification  of  pure  variable  types,  be¬ 
cause  multifocusing  has  an  independent  notion  of  correctness:  the  equivalence  relation  given  by 
multifocusing  coincides  with  the  the  least  equivalence  relation  that  includes  all  permutations  of 
independent  rules  in  an  unfocused  sequent  calculus  proof  [CMS09]. 


4.4  Adequate  encoding 

In  Section  4.1.4  we  discussed  encoding  untyped  A-calculus  terms  as  LF  terms  of  type  exp,  cap¬ 
tured  by  the  invertible  function  re~l.  Adequacy  was  extended  to  Linear  LF  (LLF)  by  Cervesato 
and  Pfenning  [CP02]  and  was  extended  to  Ordered  LF  (OLF)  by  Polakow  [PolOl].  The  deductive 
fragment  of  SLS  approximately  extends  both  LLF  and  OLF,  and  the  adequacy  arguments  made 
by  Cervesato  and  Polakow  extend  straightforwardly  to  the  deductive  fragment  of  SLS.  These  ad¬ 
equacy  arguments  do  not  extend  to  the  systems  we  want  to  encode  in  the  concurrent  fragment  of 
SLS,  however.  The  more  general  techniques  we  consider  in  this  section  will  be  explored  further 
in  Chapter  9  as  a  general  technique  for  capturing  invariants  of  SLS  specifications. 
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The  example  that  we  will  give  to  illustrate  adequate  encoding  is  the  following  signature,  the 
SLS  encoding  of  the  push-down  automata  for  parentheses  matching  from  the  introduction;  we 
replace  the  atomic  proposition  <  with  L  and  the  proposition  >  with  R: 

Y>pda  =  •,  L  :  propord, 

R  :  propord, 
hd  :  propord, 

push  :  hd  •  L  >— *  0(L  •  hd), 
pop  :  L  •  hd  •  R  O(hd) 

We  will  relate  this  specification  to  a  push-down  automata  defined  in  terms  of  stacks  k  and  strings 
s,  which  we  define  inductively: 

k  ::=  |  k< 
s  ::=  |  <s  |  >s 

The  transition  system  defined  in  terms  of  the  stacks  and  strings  has  two  transitions: 

(k  >  (<s))  i-»  ((k<)  >  s) 

((k<)  >  (>s))  t-)-  (k  t>  s) 

Existing  adequacy  arguments  for  CLF  specifications  by  Cervesato  et  al.  [CPWW02]  and 
by  Schack-Nielsen  [SN07]  have  a  three-part  structure  structure.  The  first  step  is  to  define  an 
encoding  function  ^k  >  s-11  =  A  from  PDA  states  k  t>  s  to  process  states  A,  so  that,  for  example, 
the  PDA  state  (•<<)  >  (>>><•)  is  encoded  as  the  process  state 

x2:(L)  ord ,  aq:(L)  ord ,  h:( hd)  ord,  y i:(R)  ord ,  2/2:(R)  ord,  t/3:(R)  ord ,  t/4:(L)  ord 

The  second  step  is  to  prove  a  preservation-like  property:  if  n” k  l>  s^  ^y,pda  A',  then  A'  = 
h- k '  1>  s,_n  for  some  k'  and  s'.  The  third  step  is  the  main  adequacy  result:  that  irk  >  s'11  ^y,pda 
h ~k!  >  s,_n  if  and  only  if  k  >  s  (->•  k!  >  s'. 

The  second  step  is  crucial  in  general:  without  it,  we  might  transition  in  SLS  from  the  encod¬ 
ing  of  some  k  >  s  to  a  state  A'  that  is  not  in  the  image  of  encoding.  We  will  take  the  opportunity 
to  re-factor  Cervesato  et  al.’s  approach,  replacing  the  second  step  with  a  general  statement  about 
transitions  in  T^poa  preserving  a  well-formedness  invariant.  The  invariant  we  discuss  is  a  simple 
instance  of  the  well-formedness  invariants  that  we  will  explore  further  in  Chapter  9. 

The  first  step  in  our  revised  methodology  is  to  describe  a  generative  signature  E  (jen  that 
precisely  captures  the  set  of  process  states  that  encode  machine  states  (Theorem  4.6  below).  The 
second  step  is  showing  that  the  generative  signature  E  cen  describes  an  invariant  of  the  signature 
£ pda  (Theorem  4.7).  The  third  step,  showing  that  >  iA  ~~>zPDA  rr^/  >  s'-0  if  and  only  if 
k  >  s  i— >  k'  >  s',  is  straightforward  and  follows  other  developments. 

4.4.1  Generative  signatures 

A  critical  aspect  of  any  adequacy  argument  is  an  understanding  of  the  structure  of  the  relevant 
context(s)  (the  LF  context  in  LF  encodings,  the  substructural  context  in  CLF  encodings,  both  in 
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SGen  =  •,  L  :  propord, 

R  :  propord, 
hd  :  prop  ord, 
gen  :  prop  ord, 
gen_stack  :  prop  ord, 
gen_string  :  propord, 

state  :  gen  >— >  0(gen_stack  •  hd  •  gen_string) 
stack/left  :  gen_stack  >— ►  0(L  •  gen_stack) 
stack/done  :  gen_stack  ^  0(1) 
string/left  :  gen_string  >— >  0(gen_string  •  L) 
string/right  :  gen_string  >— ►  0(gen_string  •  R) 
string/done  :  gen_string  >— >  0(1) 


G  ->  Gk  hd  Gs 
Gk  — >  <  Gk 
Gk  — >  e 
Gs  Gs  < 

Gs  — >  Gs  > 

Gs  — >■  e 


Figure  4.15:  Generative  signature  for  PDA  states  and  an  analogous  context-free  grammar 


SLS  encodings).  In  the  statement  of  adequacy  for  untyped  A-calculus  terms  (Section  4.1.4),  for 
instance,  it  was  necessary  to  require  that  the  LF  context  take  the  form  a  \  :exp. . . . ,  an:exp.  In 
the  adequacy  theorems  that  have  been  presented  for  deductive  logical  frameworks,  the  structure 
of  the  context  is  quite  simple.  We  can  describe  a  set  of  building  blocks  that  build  small  pieces  of 
the  context,  and  then  define  the  set  of  valid  process  states  (the  world )  any  process  state  that  can 
be  built  from  a  particular  set  of  building  blocks. 

The  structure  of  our  PDA  is  too  complex  to  represent  as  an  arbitrary  collection  of  building 
blocks.  The  process  state  is  organized  into  three  distinct  zones: 

[  the  stack  ]  [  the  head  ]  [  the  string  being  read  ] 

We  can’t  freely  generate  this  structure  with  building  blocks,  but  we  can  generate  it  with  a  context- 
free  grammar.  Conveniently,  context-free  grammars  can  be  characterized  within  the  machinery 
of  SLS  itself  by  describing  generative  signatures  that  can  generate  a  set  of  process  states  we  are 
interested  in  from  a  single  seed  context.  The  signature  E  Cen  in  Figure  4.15  treats  all  the  atomic 
propositions  of  E PDa  -  the  atomic  propositions  L,  R  and  hd  -  as  terminals,  and  introduces  three 
nonterminals  gen,  gen_stack,  and  gen_string. 

An  informal  translation  of  the  signature  EGen  as  a  context-free  grammar  is  given  on  the  right- 
hand  side  of  Figure  4.15.  Observe  that  the  sentences  in  the  language  G  encode  the  states  of  our 
PDA  as  a  string.  We  will  talk  much  more  about  generative  signatures  in  Chapter  9. 

4.4.2  Restriction 

The  operation  of  restriction  adapts  the  concept  of  “terminal”  and  “non-terminal”  to  SLS.  Note 
that  process  states  A  such  that  (x:(gen)  ord )  A  are  only  well-formed  under  the  signature 
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SpzM  if  they  are  free  of  nonterminals;  we  can  define  an  operation  of  restriction  that  filters  out  the 
non-terminal  process  states  by  checking  whether  they  are  well-formed  in  a  signature  that  only 
declares  the  terminals. 

Definition  4.5  (Restriction). 

*  is  ci  total  function  that  returns  the  largest  context  T'  C  T  such  that  hv  T  ctx  (defined 
in  Figure  4.3)  by  removing  all  the  LF  variables  in  T  whose  types  are  not  well-formed  in 
the  context  E. 

*  ('I';  A)^s  is  a  partial  function  that  is  defined  exactly  when,  for  every  variable  declaration 
x:T  ord  or  x:T  eph  in  A,  we  have  that  (dffa)  hs  T  left  ( defined  in  Figure  4.6).  When  it 
is  defined,  (\P;  A)^s  =  (( vIAv):  A'),  where  A'  is  A  except  for  the  variable  declarations 
x:T  pers  in  Afar  which  it  was  not  the  case  that  (\&^E)  T  left. 

*  We  will  also  use  (T;  A)^  as  a  judgment  which  expresses  that  the  function  is  defined. 

Because  restriction  is  only  defined  if  all  the  ordered  and  linear  propositions  in  A  are  well- 
formed  in  E;  this  means  that  (x:(gen)  ord)faPDA  is  not  defined.  Restriction  acts  as  a  semi- 
permeable  membrane  on  process  states:  some  process  states  cannot  pass  through  at  all,  and 
others  pass  through  with  some  of  their  LF  variables  and  persistent  propositions  removed.  We  can 
represent  context  restriction  ('I-';  A)  fa  =  ('P/;  A')  in  a  two-dimensional  notation  as  a  dashed  line 
annotated  with  the  restricting  signature: 

(*;A) 

E  //////// 

(*';A') 

For  all  process  states  that  evolve  from  the  initial  state  (x:  (gen)  ord )  under  the  signature  E  Gen, 
restriction  to  E pda  is  the  identity  function  whenever  it  is  defined.  Therefore,  in  the  statement  of 
Theorem  4.6,  we  use  restriction  as  a  judgment  AfaPDA  that  holds  whenever  the  partial  function 
is  defined. 

Theorem  4.6  (Encoding).  Up  to  variable  renaming,  there  is  a  bijective  correspondence  between 
PDA  states  k\>  s  and  process  states  A  such  that  T  ::  (a;:  (gen)  ord )  A  and  AfaPDA. 

Proof.  To  establish  the  bijective  correspondence,  we  first  define  an  encoding  function  from  PDA 


states 

to  process  states: 

* 

h- k  >  s-11 

=  ^k^,  /i:(hd). 

* 

n~.Pi  _  . 

* 

n"jfe< -n  = 

rr/c_n,  x:(L )  ord 

* 

rr<s_n  = 

y:( L)  ord, 

* 

^>5^  = 

y:{ R)  ord, 

It  is  always  the  case  that  >  faf-pljA  -  the  encoding  only  includes  terminals. 

It  is  straightforward  to  observe  that  if  t>  s-0  =  ^k'  [>  s/_n  if  an  only  if  k  —  k’  and 
s  =  s'.  The  interesting  part  of  showing  that  context  interpretation  is  an  injective  function 
is  just  showing  that  it  is  a  function:  that  is,  showing  that,  for  any  k  >  s,  there  exists  a  trace 
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T  ::  (x:(gen)  ord )  ^ *Gen  ^k  >  s-".  To  show  that  the  encoding  function  is  surjective,  we  must 
show  that  if  T  ::  (a:: (gen)  ord )  A  and  AfePDA  then  A  =  ^k  >  for  some  k  and  s.  This 

will  complete  the  proof:  an  injective  and  surjective  function  is  bijective. 

Encoding  is  injective 

We  prove  that  for  any  k  >  s,  there  exists  a  trace  T  ::  (x:(gen)  ord )  *Gen  ^ k  >  s ”n  with  a  series 
of  three  lemmas. 

Lemma.  For  all  k,  there  exists  T  ::  (x:(gen_stack)  ord)  -L..  Cr^,x'  :(gen_stack)  ord). 

By  induction  on  k. 

*  If k  =  -,T  —  o  ::  (x:(gen_stack)  ord)  (x:(gen_stack)  ord) 

*  If  k  —  k'<,  we  have  T'  ::  (x:(gen_stack)  ord)  (Ir/c7_n,  a:77:(gen_stack)  ord)  by  the 

induction  hypothesis,  so  T  =  (T';  {rci ,  a:2}  stack/left  x")  ::  (x:(gen_stack)  ord) 

([r/c/_n,  xi:(L)  ord,  x2:(gen_stack)  ord) 

Lemma.  For  all  s,  there  exists  T  ::  (?/:  (gen  .string)  ord)  (?/:  (gen  .string)  ord,^-"). 

By  induction  on  s. 

*  If  s  —  •,  T  —  o  ::  (y:  (gen  .string)  ord)  (r/:(gen_string)  ord) 

*  If  s  =  <s\  we  have  V  ::  (?/:(gen_string)  ord)  (?/77:(gen_string)  ord,  ^s'-11)  by 

the  induction  hyp.,  so  T  =  (T7;  (a/! ,  r/2}  string/left  y")  ::  (?/:  (gen  .string)  ord) 
(r/i:(gen_string)  ord,r/2:(L)  ord, ’’“s''11) 

*  If  s  =  >s7,  we  have  T7  ::  (r/:(gen_string)  ord)  ^xCcn  (y77:(gen_string)  ord,  rs71)  by  the 
induction  hyp.,  so  T  =  (T7;  {r/i,  r/2}  «-  string/right  a/77)  ::  (r/:(gen_string)  ord)  ^Gen 
(t/i:(gen_string)  ord,y2-{ R)  ord,  ""s'11) 

Lemma.  For  all  k  and  s,  there  exists  T  ::  (g\ (gen)  ord)  >  s-"). 

By  straightforward  construction  using  the  first  two  lemmas  and  frame  weakening  (Theorem  4.2): 

(g- (gen)  ord) 

{x,h,y}  <-  states; 

(x: (gen .stack)  ord,  h:(hd)  ord,  ?/:(gen_string)  ord) 

T ’k :  (given  by  the  first  lemma  and  frame  weakening) 

(h- k ”n,  a:': (gen_stack)  ord,  h:{hd)  ord,  r/:(gen_string)  ord) 

{()}  stack/donea;7 

(""/c-",  h:(hd)  ord,  r/:(gen_string)  ord) 

T,:  (given  by  the  second  lemma  and  frame  weakening) 
frk~n,  h:(hd)  ord,  r/:  (gen  .string)  ord,  "A-") 

{()}  string/done?/7 

(""Af",  /i:(hd)  ord,  "V") 

=  ^/c  >  s-" 
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Encoding  is  surjective 

We  prove  that  if  T  ::  (x:(gen)  ord )  A  and  A liY.PDA  then  A  =  frk>  s^  for  some  k  and  s 

with  a  series  of  two  lemmas. 

Lemma.  If  T  ::  (irA:_n,  x:(gen_stack)  ord,  h:(hd)  ord,  ?/:(gen_store)  ord,  ""s1)  A  and 

A  fapHA,  then  A  =  ^k!  >  s' ^  for  some  k'  and  s'. 

By  induction  on  the  structure  of  T  and  case  analysis  on  the  first  steps  in  T.  Up  to  concurrent 
equality,  there  are  four  possibilities: 

*  T  =({()}  <—  stack/done  x;  {()}  string/done  y)  -  this  is  a  base  case,  and  we  can  finish 
by  letting  k'  =  k  and  s'  =  s. 

*  T  =  ({xi,  x2}  stack/left  x;  T ')  -  apply  the  ind.  hyp.  (letting  x  =  x2,  k  =  k<). 

*  T  =  ({yi,y2}  <-  string/left  y,  T')  -  apply  the  ind.  hyp.  (letting  y  =  ylt  s  =  <s ). 

*  T  =  ({yi,y2}  <-  string/right  y;  T)  -  apply  the  ind.  hyp.  (letting  y  =  yu  s  =  >s). 

The  proof  above  takes  a  number  of  facts  about  concurrent  equality  for  granted.  For  example, 
the  traceT  =  ({()}  stack/done  x;  {y±,  y2}  string/ right  ?/;  T’)  does  not  syntactically  match 
any  of  the  traces  above  if  we  do  not  account  for  concurrent  equality.  Modulo  concurrent  equality, 
on  the  other  hand,  T  =  ({yi,y2}  string/ right  ?/;  {()}  stack/done x;  T'),  matching  the  last 
branch  of  the  case  analysis.  If  we  didn’t  implicitly  rely  on  concurrent  equality  in  this  way,  the 
resulting  proof  would  have  twice  as  many  cases.  We  will  take  these  finite  uses  of  concurrent 
equality  for  granted  when  we  specify  that  a  proof  proceeds  by  case  analysis  on  the  first  steps  of 
T  (or,  conversely,  by  case  analysis  on  the  last  steps  of  T). 

Lemma.  IfT  ::  (g:( gen)  ord )  A  and  A^pda,  then  A  =  rfc'  >  s,_n  for  some  k’  and  s'. 

This  is  a  corollary  of  the  previous  lemma,  as  it  can  only  be  the  case  that  T  =  {x,  h.  y)  *— 
state g\T' .  We  can  apply  the  previous  lemma  to  T1,  letting  k  =  s  =  .  This  establishes  that 
encoding  is  a  surjective  function,  which  in  turn  completes  the  proof.  □ 

Theorem  4.6  establishes  that  the  generative  signature  Scen  describes  a  world  -  a  set  of 
SLS  process  states  -  that  precisely  corresponds  to  the  states  of  a  push-down  automata.  We  can 
(imperfectly)  illustrate  the  content  of  this  theorem  in  our  two-dimensional  notation  as  follows, 
where  A  k  t>  s  indicates  the  presence  of  a  bijection: 

(x:(gen)  ord ) 


A 


£ PDA  //// 

A 

k  \>  s 

It  is  interesting  to  note  how  the  proof  of  Theorem  4.6  takes  advantage  of  the  associative 
structure  of  traces:  the  inductive  process  that  constructed  traces  in  the  first  two  lemmas  treated 
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trace  composition  as  left-associative,  but  the  induction  we  performed  on  traces  in  the  next-to-last 
lemma  treated  trace  composition  as  right-associative. 


4.4.3  Generative  invariants 

The  generative  signature  SGen  precisely  captures  the  world  of  SLS  process  states  that  are  in  the 
image  of  the  encoding  frfc  D>  of  PDA  states  as  process  states.  In  order  for  the  signature  £ PDA 
to  encode  a  reasonable  notion  of  transition  between  PDA  states,  we  need  to  show  that  steps  in  this 
signature  only  take  encoded  PDA  states  to  encoded  PDA  states.  Because  the  generative  signature 
T>Gen  precisely  captures  the  process  states  that  represent  encoded  PDA  states,  we  can  describe 
and  prove  this  property  without  reference  to  the  actual  encoding  function: 

Theorem  4.7  (Preservation).  If  T)  ::  (x:(gen)  ord )  Ai,  AifePDA,  and  S  ::  Ai 

A2,  then  T2  ::  (a;: (gen)  ord )  ^hGen  A2. 

If  we  illustrate  the  given  elements  as  solid  lines  and  elements  that  we  have  to  prove  as  dashed 
lines,  the  big  picture  of  the  encoding  and  preservation  theorems  is  the  following: 


(x:(gen)  ord ) 


(x:(gen)  ord) 


k>  s 


The  proof  of  Theorem  4.7  relies  on  two  lemmas,  which  we  will  consider  before  the  proof  itself. 


They  are  both  inversion  lemmas :  they  help  uncover  the  structure  of  a  trace  based  on  the  type  of 
that  trace.  Treating  traces  modulo  concurrent  equality  is  critical  in  both  cases. 

Lemma.  Let  A  =  @{x:(gen_stack)  ord,  h:(hd)  ord,  ?/:(gen_string)  ord}.  If  T  ::  A 
A'  and  A'faPDA,  then  T  =  (T';{()}  stack/done  s';  {()}  •<—  string/done  y'),  where  T1  :: 
A  0'{V:(gen_stack)  ord,h\( hd)  ord,y':( gen_string)  ord}  and  A'  =  ©'{/z: (hd)  ord}.  Or, 

as  a  picture: 

A  =  0{x:(gen_stack)  ord,h\( hd)  ord,y\( gen_string)  ord} 


T 


{()}  string/done?/' 


{()}  <—  stack/done x‘ 


V 


./ 


0,{a:/:(gen_stack)  ord,h:( hd)  ord,y':{ gen_string)  ord} 


©'(/r^hd)  ord,y'\( gen_string)  ord} 


A' 


A'  =  @'{/i:(hd)  ord} 
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Proof.  By  induction  on  the  structure  of  T  and  case  analysis  on  the  first  steps  in  T.  Up  to  concur¬ 
rent  equality,  there  are  five  possibilities: 

*  T  =  ({()}  -t—  stack/donex;  {()}  -t—  string/done y).  Immediate,  letting  T'  =  ❖. 

*  T  =  ({aq,  x2}  stack/left  x;  T").  By  the  induction  hypothesis  (where  the  new  frame  in¬ 
corporates  aq:(L)  ord ),  we  have  T"  =  {T"'\  {()}  stack/donex;  {()}  string/done y). 
Let  V  =  ({xi,x2}  P-  stack/left  x;T"'). 

*  T  =  ({2/1 ,  y2}  •*—  string/left  y:  T").  By  the  induction  hypothesis  (where  the  new  frame  in¬ 
corporates  yi: (L)  ord),  we  have  T"  =  {T"'\  {()}  stack/donex;  {()}  -t—  string/doney). 
Let  V  =  ({x\,x2}  P-  string/left y;T"'). 

*  T  =  ({yi,y2}  string/right  y;  T").  By  the  induction  hypothesis  (where  the  new  frame 
incorporates  y2:(R)  ord),  we  have  T"  =  (T"’\  {()}  stack/donex;  {()}  string/doney) 
Let  V  =  {{xi,x2}  <r-  string/righty;  V" ). 

*  T  =  (S';  T"),  where  x  and  y  are  not  free  in  S.  By  the  induction  hypothesis,  we  have 
T"  =  (T"";{()}  stack/donerr;  {()}  string/done y).  Let  V  =  ( S;T (This  case 
will  not  arise  in  the  way  we  use  this  lemma,  but  the  statement  of  the  theorem  leaves  open 
the  possibility  that  there  are  other  nonterminals  in  0.) 

This  completes  the  proof.  □ 

A  corollary  of  this  lemma  is  that  if  T  ::  (g:{ gen)  ord)  A  and  A^pda,  then  T  = 

(T";{()}  stack/donex;  {()}  string/done y)  -  modulo  concurrent  equality,  naturally - 
where  V  ::  (g: (gen)  ord)  ^xGen  0{V:(gen_stack)  ord,  h:(hd)  ord,  y':(gen_string}  ord}  and 
A  =  0{/i:(hd)  ord}.  To  prove  the  corollary,  we  observe  that  T  =  ({x,h,r}  -t—  statey;T") 
and  apply  the  lemma  to  T" . 

Lemma.  The  following  all  hold: 

*  IfT  ::  (y:(gen)  ord)  0{aq:(L)  ord,x2:( gen_stack)  ord}, 

then  T  =  (X";  {x\,x2}  <—  stack/left  x')  for  some  x'. 

*  IfT  ::  (<7: (gen)  ord)  ^sGen  0{yi:(gen_string)  ord,y2:( L)  ord}, 
then  T  =  (T";  {yi,y2}  string/left  y')  for  some  y'. 

*  IfT  ::  (y:(gen)  ord)  ^Gen  0{yi:(gen_string)  ord,y2:( R)  ord}, 
then  T  =  (T";  {yi,y2}  -t—  string/right  y')  for  some  y'. 

To  give  the  last  of  the  three  statements  as  a  picture: 

y:(gen)  ord  g:( gen)  ord 

T  }  =  V  ; 

>  0/{y':(gen_string)  ord} 

{2/i,2/2}  string/righty'  ( 

0'{yi:(gen_string)  ord,y2:( R)  ord}  ©'(yi^geimstring)  ord,y2:( R)  ord} 

Proof.  The  proofs  are  all  by  induction  on  the  structure  of  T  and  case  analysis  on  the  last  steps  in 
T ;  we  will  prove  the  last  statement,  as  the  other  two  are  similar.  Up  to  concurrent  equality,  there 
are  two  possibilities: 
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*  T  =  (T';  {2/1, 2/2}  string/ right  2/')  -  Immediate. 

*  T  =  {T"\  S),  where  y\  and  y2  are  not  among  the  input  variables  *5  or  the  output  vari¬ 
ables  S'*.  By  the  induction  hypothesis,  T"  =  (Tw;  {2/1, 2/2}  string/right/).  Let 
T'  =  (T"-S). 

This  completes  the  proof.  □ 

Note  that  we  do  not  consider  any  cases  where  T  =  (T";  (yj,  y 2}  string/ right  y')  (for  y(  / 
y'/,  T=  (T';{yi,y2}  «-  string/right  y')  (fory2  /  y2),  or  (critically)  where  T  =  (T';{y1,y,2}  <- 
string/left  y').  There  is  no  way  for  any  of  these  traces  to  have  the  correct  type,  which  makes  the 
resulting  case  analysis  quite  simple. 

Proof  of  Theorem  4.7  (Preservation).  By  case  analysis  on  the  structure  of  S. 

Case  1:  S  —  {x',  //}  push  (h  •  y ),  which  means  that  we  are  given  the  following  generative 
trace  in  SGen: 

(y:(gen)  ord ) 

T 

0{/i:(hd)  ord ,  y:(L)  ord} 

and  we  must  construct  a  trace  (y:(gen)  ord )  0{V:(L)  ord,  /i':(hd)  ord}.  Changing  /?,  to 

h'  is  just  renaming  a  bound  variable,  so  we  have 

(fl1:  (gen)  ord) 

r 

0{/i':(hd)  ord,  y:(L)  ord} 

The  corollary  to  the  first  inversion  lemma  above  on  T’  gives  us 
T' =  (g:  (gen)  ord) 

rpft . 

0{x9:(gen_stack)  ord,  h':{M)  ord,  y9: (gen_string)  ord,  y:(L)  ord} 

{()}  stack/done x9\ 

{()}  <-  string/done  y9 

Q{h':(M)  ord,  y:(L)ord} 

The  second  inversion  lemma  (second  part)  on  T"  gives  us 
T”  =  (g:  (gen)  ord) 

0{x9:(gen_stack)  ord,  h':(M)  ord,  y'g: (gen _str\ng)  ord} 

{vg,y}  string/left y9 

0{x9:(gen_stack)  ord,  h':(hd)  ord,  y9: (gen_string)  ord,  y:(L)  ord} 
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Now,  we  can  construct  the  trace  we  need  using  T"'\ 

(g-  (gen)  ord ) 

rp  ///  _ 

@{a;9:(gen_stack)  ord,  h'\(hd)  ord,  y9:(gen_string)  ord} 

[x'  ,x'g}  stack/left  xg\ 

Q{x':(L)  ord,  x'g. (gen .stack)  ord,  hf:  (hd)  ord,  y'g: (gen .string)  ord} 

{()}  stack/done x'g, 

{()}  «-  string/done 

©{V:(L}  ord,  h':(hd)  ord} 

Case  2:  S  =  {h'}  pop  (x  •  h  •  y),  which  means  that  we  are  given  the  following  generative 
trace  in  SGen: 

(l/: (gen)  ord) 

T 

Q{x:(L)  ord,  h:(M)  ord,  y:(R)  ord} 

and  we  must  construct  a  trace  (g:( gen)  ord)  ^zCen  ®{h':( hd)  ord}.  Changing  h  to  h'  is  just 
renaming  a  bound  variable,  so  we  have 

{g:(gen)  ord) 

T' 

Q{x:(L)  ord,  h':(M)  ord,  y:(R)  ord} 

The  corollary  to  the  first  inversion  lemma  above  on  T'  gives  us 
T’ =  (g: (gen)  ord) 

rjiff  t 

5 

Q{x:(L)  ord,  x9:(gen_stack)  ord,  h' :(hd)  ord,  y9:(gen_string)  ord,  y:(R)  ord} 
{()}  stack/done xg; 

{()}  <-  string/done yg 

Q{x:(L)  ord,  h':(M)  ord,  y.(R)  ord} 

The  second  inversion  lemma  (first  part)  on  T"  gives  us 

T"  =  (g: (gen)  ord) 

m///< 

5 

©{a;^: (gen_stack)  ord,  h':(hd)  ord,  y9:(gen_string)  ord,  y:(R)  ord} 

{x,xg}  <—  stack/left  x'g 

Q{x:(L)  ord,  x9:(gen_stack)  ord,  /i': (hd)  ord,  y9:(gen_string)  ord,  y:(R)  ord} 
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The  second  inversion  lemma  (third  part)  on  V"  gives  us 
T"' =  (g\ {gen)  ord) 

rpffff  m 

0{a/:  (gen  .stack)  ord,  h':(hd)  ord,  j/:(gen_stnng)  ord} 

{y9,y}  string/ right 2/^ 

0{x'g: (gen .stack)  ord,  h':{M)  ord,  ys:(gen_string)  ord,  y:(R)  ord} 

Now,  we  can  construct  the  trace  we  need  using  T""\ 

(g- (gen)  ord ) 

rjiffff . 

0{x'g: (gen .stack)  ord,  h':{M)  ord,  y/(gen_string)  ord} 

{()}  stack/done x'g; 

{()}  <-  string/done?/ 

0{/i':(hd)  ord} 

These  two  cases  represent  the  only  two  synthetic  transitions  that  are  possible  under  the  signature 
£  pda,  so  we  are  done.  □ 

Theorem  4.7  establishes  that  the  generative  signature  £  Gen  is  a  generative  invariant  of  the 
signature  £ PDa •  We  consider  theorems  of  this  form  further  in  Chapter  9,  but  they  all  essentially 
follow  the  structure  of  Theorem  4.7.  First,  we  enumerate  the  synthetic  transitions  associated  with 
a  given  signature.  Second,  in  each  of  those  cases,  we  use  the  type  of  the  synthetic  transition  to 
perform  inversion  on  the  structure  of  the  given  generative  trace.  Third,  we  construct  a  generative 
trace  that  establishes  the  fact  that  the  invariant  was  preserved. 

4.4.4  Adequacy  of  the  transition  system 

The  hard  work  of  adequacy  is  established  by  the  preservation  theorem;  the  actual  adequacy 
theorem  is  just  an  enumeration  in  both  directions. 

Theorem  4.8  (Adequacy).  ^ k  >  s ^  ^ SpDA  ^k'  >  s/_n  if  and  only  if  k  >  s  (->•  k'  \>  s'. 

Proof  Both  directions  can  be  established  by  case  analysis  on  the  structure  of  k  and  s.  £J 

As  an  immediate  corollary  of  this  theorem  and  preservation  (Theorem  4.7),  we  have  the 
stronger  adequacy  property  that  ^ k  [>  .s^1  ^^PDA  A',  then  A'  =  ^k'  [>  s/_n  for  some  k  and  s' 
such  that  k  >  s  (->■  k'  >  s'.  In  our  two-dimensional  notation,  the  complete  discussion  of  adequacy 
for  SLS  is  captured  by  the  following  picture: 
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IA~  =  A 
i  A~  =  $  A 
\A~  =  !  A 
1  =  one 

A+  •  B+  =  A  *  B 
3a. t.A+  =  Exists  x.A 
t  =r  s  =  t  ==  s 


OA+  =  {A} 

A+  =  A  >->  B 

A+  -»  B~  =  A  ->>  B 
A~  &B~  =  A  &  B 
Va.T.A~=  All  x.A 
jA“  > — >  =  A  -o  B 

!A~  > — >  f?-  =  A  ->  B 


Aa.t  =  \a  .  t 

footx . . .  tn  —  foo  tl...tn 

IIa:r.^  =  Pi  x.nu 
r  — > ^  =  tau  ->  nu 
barti . . .  tn  =  bar  tl...tn 


Figure  4.16:  Mathematical  and  ASCII  representations  of  propositions,  terms,  and  classifiers 


(ax (gen)  ord ) 

^  Gen | 

A 

//// 

A 

k  >  s 


(ax (gen)  ord ) 

^ Gen 


A' 
/  / 

A 


/ 

/  / 
/ 


k'  >  s' 


4.5  The  SLS  implementation 

The  prototype  implementation  of  SLS  contains  a  parser  and  typechecker  for  the  SLS  language, 
and  is  available  from  https  :  /  /  git hub  .  com/robsimmons/sls.  Code  that  is  checked  by 
this  prototype  implementation  will  appear  frequently  in  the  rest  of  this  document,  always  in  a 

fixed-width  font. 

The  checked  SLS  code  differs  slightly  from  mathematical  SLS  specifications  in  a  few  ways 
-  the  translation  between  the  mathematical  notation  we  use  for  SLS  propositions  and  the  ASCII 
representation  used  in  the  implementation  is  outlined  in  Figure  4. 16.  Following  CLF  and  the  Celf 
implementation,  we  write  the  lax  modality  O A  in  ASCII  as  { A }  -  recall  that  in  Section  4.2  we 
introduced  the  {A+}  notation  from  CLF  as  a  synonym  for  Fairtlough  and  Mendler’s  C)A+.  The 
exponential  \A  doesn’t  have  an  ASCII  representation,  so  we  write  $A.  Upshifts  and  downshifts 
are  always  inferred:  this  means  that  we  can’t  write  down  fiA  or  JAA  but  neither  of  these 
OL3  propositions  are  part  of  the  SLS  fragment  anyway. 

The  SLS  implementation  also  supports  conventional  abbreviations  for  arrows  that  we  won’t 
use  in  mathematical  notation:  \A~  >— >  B~  can  be  written  as  A  -o  B  or  $A  >->  B  in  the 
SLS  implementation,  and  \A~  >— >  B~  can  be  written  as  A  ->  B  or  !A  >->  B.  This  final 
proposition  is  ambiguous,  because  X  ->  Y  can  be  an  abbreviation  for  \X  ^  Y  or  1  \a:X.Y.  but 
SLS  can  figure  out  which  form  was  intended  by  analyzing  the  structure  of  Y.  Also  note  that  we 
could  have  just  as  easily  made  A  -o  B  an  abbreviation  for  $  A  ->>  B,  but  we  had  to  pick  one 
and  the  choice  absolutely  doesn’t  matter.  All  arrows  can  also  be  written  backwards:  B  <-<  A 
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is  equivalent  to  A  >->  B,  B  o-  A  is  equivalent  to  A  -o  B,  and  so  on. 

Also  following  traditional  conventions,  upper-case  variables  that  are  free  in  a  rule  will  be 
treated  as  implicitly  quantified.  Therefore,  the  line 

rule:  foo  X  <-  (bar  Y  ->  baz  Z) . 

will  be  reconstructed  as  the  SLS  declaration 


rule  :  VY\t\.  \/Z:t2-  WX:ts.  !(!barF  >— ►  bazZ)  >— ►  foo  AT 

where  the  implementation  infers  the  types  T\,  r2,  and  r3  appropriately  from  the  declarations  of  the 
negative  predicates  foo,  bar,  and  baz.  The  type  annotation  associated  with  equality  is  similarly 
inferred. 

Another  significant  piece  of  syntactic  sugar  introduced  for  the  sake  of  readability  is  less  con¬ 
ventional,  if  only  because  positive  atomic  propositions  are  not  conventional.  If  P  is  a  persistent 
atomic  proposition,  we  can  optionally  write  !  P  wherever  P  is  expected,  and  if  P  is  a  linear 
atomic  proposition,  we  can  write  $P  wherever  P  is  expected.  This  means  that  if  a,  b,  and  c 
are  (respectively)  ordered,  linear,  and  persistent  positive  atomic  propositions,  we  can  write  the 
positive  proposition  a  •  b  •  c  in  the  SLS  implementation  as  (a  *  b  *  c),  (a  *  $b  *  c), 
(a  *  b  *  !  c) ,  or  (a  *  $b  *  !c).  Without  these  annotations,  it  is  difficult  to  tell  at  a 
glance  which  propositions  are  ordered,  linear,  or  persistent  when  a  signature  uses  more  than  one 
variety  of  proposition.  When  all  of  these  optional  annotations  are  included,  the  rules  in  a  sig¬ 
nature  that  uses  positive  atomic  propositions  look  the  same  as  rules  in  a  signature  that  uses  the 
pseudo-positive  negative  atomic  propositions  described  in  Section  4.7.1. 

In  the  code  examples  given  in  the  remainder  of  this  document,  we  will  use  these  optional 
annotations  in  a  consistent  way.  We  will  omit  the  optional  $A  annotations  only  in  specifications 
with  no  ordered  atomic  propositions,  and  we  will  omit  the  optional  !  A  annotations  in  specifica¬ 
tions  with  no  ordered  or  linear  atomic  propositions.  This  makes  the  mixture  of  different  expo¬ 
nentials  explicit  while  avoiding  the  need  for  rules  like  ($a  *  $b  *  $c  >->  {$d  *  $ e } ) 
when  specifications  are  entirely  linear  (and  likewise  when  specifications  are  entirely  persistent). 


4.6  Logic  programming 

One  logic  programming  interpretation  of  CLF  was  explored  by  the  Lollimon  implementation 
[LPPW05]  and  adapted  by  the  Celf  implementation  [SNS08,  SN11].  Logic  programming  in¬ 
terpretations  of  SLS  are  not  a  focus  this  dissertation,  but  we  will  touch  on  a  few  points  in  this 
section. 

Logic  programming  is  important  because  it  provides  us  with  operational  intuitions  about  the 
intended  behavior  of  the  systems  we  specify  in  SLS.  One  specific  set  of  intuitions  will  form  the 
basis  of  the  operationalization  transformations  on  SLS  specifications  considered  in  Chapter  6. 
Additionally,  logic  programming  intuitions  are  relevant  because  they  motivated  the  design  of 
SLS,  in  particular  the  presentation  of  the  concurrent  fragment  in  terms  of  partial,  rather  than 
complete,  proofs.  We  discuss  this  point  in  Section  4.6.2. 
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4.6.1  Deductive  computation  and  backward  chaining 


Deductive  computation  in  SLS  is  the  search  for  complete  proofs  of  sequents  of  the  form  f;At- 
(p~)  true.  A  common  form  of  deductive  computation  is  goal-directed  search,  or  what  Andreoli 
calls  the  proof  construction  paradigm  [AndOl].  In  SLS,  goal-directed  search  for  the  proof  of  a 
sequent  $;A  h  (p~)  true  can  only  proceed  by  focusing  on  a  proposition  like  fp~ 
lp~  >— >•  p~  which  has  a  head  p~  that  matches  the  succedent.  This  replaces  the  goal  sequent 
\k;  A  h  ( p~ )  true  with  n  subgoals:  'k;  Ai  h  (p^)  true  . . .  \k;  An  h  (p~)  true,  where  A  matches 
Ai, . . . ,  An. 

When  goal-directed  search  only  deals  with  the  unproved  subgoals  of  a  single  coherent  deriva¬ 
tion  at  a  time,  it  is  called  backward  chaining,  because  we’re  working  backwards  from  the  goal 
we  want  to  prove.3  The  term  top-down  logic  programming  is  also  used,  and  refers  to  the  fact 
that,  in  the  concrete  syntax  of  Prolog,  the  rule  lp~  ip]  >— *■  p  would  be  written  with 

p  on  the  first  line,  p]  on  the  second,  etc.  This  is  exactly  backwards  from  a  proof-construction 
perspective,  as  we  think  of  backward  chaining  as  building  partial  proofs  from  the  bottom  up,  the 
root  towards  the  leaves,  so  we  will  avoid  this  terminology. 

The  backward-chaining  interpretation  of  intuitionistic  logics  dates  back  to  the  work  by  Miller 
et  al.  on  uniform  proofs  [MNPS91].  An  even  older  concept,  Clark’s  negation-as-failure  [Cla87], 
is  based  on  a  partial  completeness  criteria  for  logic  programming  interpreters.  Partial  complete¬ 
ness  demands  that  if  the  interpreter  gives  up  up  on  finding  a  proof,  no  proof  should  exist.  (The 
interpreter  is  allowed  to  run  forever  without  succeeding  or  giving  up.)  Partial  completeness  re¬ 
quires  backtracking  in  backward-chaining  search:  if  we  we  try  to  prove  'k;  A  h  (p~)  true  by 
focusing  on  a  particular  proposition  and  one  of  the  resulting  subgoals  fails  to  be  provable,  we 
have  to  consider  any  other  propositions  that  could  have  been  used  to  prove  the  sequent  before 
giving  up.  Backtracking  can  be  extremely  powerful  in  certain  cases  and  incredibly  expensive  in 
others,  and  so  most  logic  programming  languages  have  an  escape  hatch  that  modifies  or  limits 
backtracking  at  the  user’s  discretion,  such  as  the  Prolog  cut  (no  relation  to  the  admissible  rule 
cut )  or  Twelf’s  deterministic  declarations.  Non-backtracking  goal-oriented  deductive  computa¬ 
tion  is  called  flat  resolution  [AK99]. 

One  feature  of  backward  chaining  and  goal  directed  search  is  that  it  usually  allows  for  terms 
that  are  not  completely  specified  -  these  unspecified  pieces  are  are  traditionally  called  logic 
variables.  Because  LF  variables  are  also  “logic  variables,”  the  literature  on  AProlog  and  Twelf 
calls  unspecified  pieces  of  terms  existential  variables,  but  as  they  bear  no  relation  to  the  variables 
introduced  by  the  left  rule  for  3 a:r.A+,  that  terminology  is  also  unhelpful  here.  Consider  the 


3The  alternative  is  to  try  and  derive  the  same  sequent  in  multiple  ways  simultaneously,  succeeding  whenever 
some  way  of  proving  the  sequent  is  discovered.  Unlike  backward  chaining,  this  strategy  of  breadth-first  search  is 
complete:  if  a  proof  exists,  it  will  be  found.  Backward  chaining  as  we  define  it  is  only  nondeterministically  or 
partially  complete,  because  it  can  fail  to  terminate  when  a  proof  exists.  We  will  call  this  alternative  to  backtracking 
breadth-first  theorem  proving,  as  it  amounts  to  taking  a  breadth-first,  instead  of  depth-first,  view  of  the  so-called 
failure  continuation  [Pfel2a], 
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following  SLS  signature: 

£ Add  =  nat  :  type,  z  :  nat,  s  :  nat  — >  nat, 
plus  :  nat  — *  nat  — *  nat  — >  prop, 
plus/z  :  ViV:nat.  (plusziViV), 

plus/s  :  ViV:nat.  VM:nat.  VP: nat. ! (plus  iVM  P)  (plus  (s  N)  M  (s  P)) 

In  addition  to  searching  for  a  proof  of  plus  (sz)  (sz)  (s  (sz))  (which  will  succeed,  as  1  +  1  =  2) 
or  searching  for  a  proof  of  plus  (sz)  (sz)  (s  (s  (sz)))  (which  will  fail,  as  1  +  1  ^  3),  we  can 
use  goal-oriented  deductive  computation  to  search  for  plus  (sz)  (sz)  X,  where  X  represents  an 
initially  unspecified  term.  This  search  will  succeed,  reporting  that  X  =  (s  (sz)).  Unification 
is  generally  used  in  backward-chaining  logic  programming  languages  as  a  technique  for  imple¬ 
menting  partially  unspecified  terms,  but  this  implementation  technique  should  not  be  confused 
with  our  use  of  unification-based  equality  t  =  s  as  a  proposition  in  SLS. 

We  say  that  plus  in  the  signature  above  is  a  well-moded  predicate  with  mode  (plus  +  H — ), 
because  whenever  we  perform  deductive  computation  to  derive  (plus  n  mp)  where  n  and  m  are 
fully  specified,  any  unspecified  portion  of  p  must  be  fully  specified  in  any  completed  derivation. 
Well-moded  predicates  can  be  treated  as  nondeterministic  (in  the  sense  of  potentially  having 
zero,  one,  or  many  outputs)  partial  functions  from  their  inputs  (the  indices  marked  “+”  in  the 
mode)  to  their  outputs  (the  indices  marked  ”  in  the  mode).  A  predicate  can  sometimes  be 
given  more  than  one  mode:  (plus  -| - h)  is  a  valid  mode  for  plus,  but  (plus  -| - )  is  not. 

The  implementation  of  backward  chaining  in  substructural  logic  has  been  explored  by  Hodas 
[HM94],  Polakow  [PolOO,  PolOl],  Armelfn  and  Pym  [AP01],  and  others.  Efficient  implementa¬ 
tion  of  these  languages  is  complicated  by  the  problem  of  resource  management.  In  linear  logic 
proof  search,  it  would  be  technically  correct  but  highly  inefficient  to  perform  proof  search  by 
enumerating  the  ways  that  a  context  can  be  split  and  then  backtracking  over  each  possible  split. 
Resource  management  allows  the  interpreter  to  avoid  this  potentially  exponential  backtracking, 
but  describing  resource  management  and  proving  it  correct,  especially  for  richer  substructural 
logics,  can  be  complex  and  subtle  [CHPOO]. 

The  term  deductive  computation  is  meant  to  be  interpreted  very  broadly,  and  goal-directed 
search  is  not  the  only  form  of  deductive  computation.  Another  paradigm  for  deductive  compu¬ 
tation  is  the  inverse  method,  where  the  interpreter  attempts  to  prove  a  sequent  $;A  h  (p~)  true 
by  creating  and  growing  database  of  sequents  that  are  derivable,  attempting  to  build  the  appro¬ 
priate  derivation  from  the  leaves  down.  The  inverse  method  is  generally  associated  with  theorem 
proving  and  not  logic  programming.  However,  Chaudhuri,  Pfenning,  and  Price  have  shown  that 
that  deductive  computation  with  the  inverse  method  in  a  focused  linear  logic  can  simulate  both 
backward  chaining  and  forward  chaining  (considered  below)  for  persistent  Horn-clause  logic 
programs  [CPP08]. 

Figure  4.17  gives  an  taxonomy  (incomplete  and  imperfect)  of  the  forms  of  deductive  com¬ 
putation  mentioned  in  this  section.  Note  that,  while  we  will  generally  use  backward  chaining  to 
describe  backtracking  search,  backward  chaining  does  not  always  imply  full  backtracking  and 
partial  completeness.  This  illustration,  and  the  preceding  discussion,  leaves  out  many  important 
categories,  especially  tabled  logic  programming,  and  many  potentially  relevant  implementation 
choices,  such  as  breath-first  versus  depth-first  or  parallel  exploration  of  the  success  continuation. 
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Deductive  computation 

Search  for  complete  derivations  A  h  [/ 


maintains  sets  ofy 
subgoal  sequents 


maintains  sets  of 
derivable  sequents 


goal-directed  search  inverse  method  theorem  proving 

depth-first^/  ^ \breadth-first 

backward  chaining  breadth-first  theorem  proving 

backtracking^/  / \committed-choice 

backward  chaining  flat  resolution 

Figure  4.17:  A  rough  taxonomy  of  deductive  computation 


4.6.2  Concurrent  computation 

Concurrent  computation  is  the  search  for  partial  proofs  of  sequents.  As  the  name  suggests,  in 
SLS  concurrent  computation  is  associated  with  the  search  for  partial  proofs  of  the  judgment 
A+  lax,  which  correspond  to  traces  ('F;  A)  (\F';  A'). 

The  paradigm  we  will  primarily  associate  with  concurrent  computation  \s  forward  chaining, 
which  implies  that  we  take  an  initial  process  state  ('F;  A)  and  allow  it  to  evolve  freely  by  the  ap¬ 
plication  of  synthetic  transitions.  Additional  conditions  can  be  imposed  on  forward  chaining:  for 
instance,  synthetic  transitions  like  (A,  x:(p+ers)  pers)  (A ,  x\(p+ers)  pers,y\(p+ers)  pers)  that 
do  not  meaningfully  change  the  state  can  be  excluded  (if  a  persistent  proposition  already  exists, 
two  copies  of  that  proposition  don’t  add  anything).4  Forward  chaining  with  this  restriction  in  a 
purely -persistent  logic  is  strongly  associated  with  the  Datalog  language  and  its  implementations; 
we  will  refer  to  forward  chaining  in  persistent  logics  as  saturating  logic  programming  in  Chap¬ 
ter  8.  Forward  chaining  does  not  always  deal  with  partially-unspecified  terms;  when  persistent 
logic  programming  languages  support  forward  chaining  with  partially-unspecified  terms,  it  is 
called  hyperresolution  [FLHT01]. 

The  presence  of  ephemeral  or  ordered  resources  in  substructural  logic  means  that  a  process 
state  may  evolve  in  multiple  mutually-incompatible  ways.  Committed  choice  is  a  version  of 
forward  chaining  that  never  goes  back  and  reconsiders  alternative  evolutions  from  the  initial  state. 
Just  as  the  default  interpretation  of  backward  chaining  includes  backtracking,  we  will  consider 
the  default  interpretation  of  forward  chaining  to  be  committed  choice,  following  [LPPW05]. 
An  alternative  interpretation  would  consider  multiple  evolutionary  paths,  which  is  a  version  of 
exhaustive  search.  Trace  computation  that  works  backwards  from  a  final  state  instead  of  forward 
from  an  initial  state  can  also  be  considered,  and  planning  can  be  seen  as  specifying  both  the 
initial  and  final  process  states  and  trying  to  extrapolate  a  trace  between  them  by  working  in  both 

4Incidentally,  Lollimon  implements  this  restriction  and  Celf,  as  of  version  2.9,  does  not. 
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directions. 

Outside  of  this  work  and  Saurin’s  work  on  Ludics  programming  [Sau08],  there  is  not  much 
work  on  explicitly  characterizing  and  searching  for  partial  proofs  in  substructural  logics.5  Other 
forms  of  computation  can  be  characterized  as  trace  computation,  however.  Multiset  rewriting  and 
languages  like  GAMMA  can  be  partially  or  completely  understood  in  terms  of  forward  chain¬ 
ing  in  linear  logic  [CS09,  BG96],  and  the  ordered  aspects  of  SLS  allow  it  to  capture  fragments 
of  rewriting  logic.  Rewriting  logic,  and  in  particular  the  Maude  implementation  of  rewriting 
logic  [CDE+11],  implements  both  the  committed  choice  and  the  exhaustive  search  interpreta¬ 
tions,  as  well  as  a  model  checking  interpretation  that  characterize  sets  of  process  states  or  traces 
using  logical  formulas.  Constraint  handling  rules  [BRF10]  and  concurrent  constraint  program¬ 
ming  [JNS05]  are  other  logic  programming  models  can  be  characterized  as  forms  of  concurrent 
computation. 

4.6.3  Integrating  deductive  and  trace  computation 

In  the  logic  programming  interpretation  of  CLF  used  by  Follimon  and  Celf,  backtracking  back¬ 
ward  chaining  is  associated  with  the  deductive  fragment,  and  committed-choice  forward  chaining 
is  associated  with  the  lax  modality.  We  will  refer  to  an  adaptation  of  the  Follimon/Celf  semantics 
to  SFS  as  “the  Follimon  semantics”  for  brevity  in  this  section. 

Forward  chaining  and  backward  chaining  have  an  uneasy  relationship  in  the  Follimon  se¬ 
mantics.  Consider  the  following  SFS  signature: 

£ Demo  =  posA  :  propord,  posB  :  propord,  posC  :  propord,  negD  :  prop, 
fwdruleAB  :  posA  OposB, 

fwdruleAC  :  posA  OposC, 

bwdrule  :  (posA  >— ►  OposB)  >— >  negD 

In  an  empty  context,  there  is  only  one  derivation  of  negD  under  this  signature:  it  is  rep¬ 
resented  by  the  proof  term  bwdrule  ( Xx .  {let  {y}  -t—  fwdruleAB  x  in  y}).  The  partially  complete 
interpretation  of  backward  chaining  stipulates  that  an  interpreter  tasked  with  finding  a  proof  of 
negD  should  either  find  this  proof  or  never  terminate,  but  the  Follimon  semantics  only  admits 
this  interpretation  for  purely  deductive  proofs.  To  see  why,  consider  backward-chaining  search 
attempting  to  prove  negD  in  a  closed  context.  This  can  only  be  done  with  the  rule  bwdrule, 
generating  the  subgoal  posA  ^  OposB.  At  this  point,  the  Follimon  semantics  will  switch  from 
backward  chaining  to  forward  chaining  and  attempt  to  satisfy  this  subgoal  by  constructing  a  trace 
(x:(posA)  ord)  (y:( posB)  ord ). 

There  are  two  nontrivial  traces  in  this  signature  starting  from  the  process  state  (x:  (posA)  ord ) 
-  the  first  is  ({?/}  fwdruleAB x)  ::  (tc:(posA}  ord )  (y:( posB)  ord),  and  the  second  is 

({ y }  fwdruleACx)  ::  (x: (posA)  ord)  ^  (y:(posC)  ord).  Forward  chaining  can  plausibly 

come  up  with  either  one,  and  if  it  happens  to  derive  the  second  one,  the  subgoal  fails.  Follimon 
then  tries  to  backtrack  to  find  other  rules  that  can  prove  the  conclusion  negD,  but  there  are  none, 
so  the  Follimon  semantics  will  report  a  failure  to  prove  negD. 

5  As  such,  “concurrent  computation,”  while  appropriate  for  SLS,  may  or  may  not  prove  to  be  a  good  name  for 
the  general  paradigm. 
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This  example  indicates  that  it  is  difficult  to  make  backward  chaining  (in  its  default  back¬ 
tracking  form)  reliant  on  committed-choice  forward  chaining  (in  its  default  committed-choice 
form)  in  the  Lollimon  semantics.  Either  we  can  restrict  forward  chaining  to  confluent  systems 
(excluding  TjDemo )  or  else  we  can  give  up  on  the  usual  partially  complete  interpretation  of  back¬ 
ward  chaining.  In  the  other  direction,  however,  it  is  entirely  natural  to  make  forward  chaining 
dependent  upon  backward  chaining.  The  fragment  of  CLF  that  encodes  this  kind  of  computation 
was  labeled  the  semantic  effects  fragment  by  DeYoung  [DP09].  At  the  logical  level,  the  semantic 
effects  fragment  of  SLS  removes  the  right  rule  for  OA+ ,  which  corresponds  to  the  proof  term 
(let  T  in  V}.  As  discussed  in  Section  4.2.6,  these  let-expressions  are  the  only  point  where  traces 
are  included  into  the  language  of  deductive  terms. 


4.7  Design  decisions 

Aside  from  ordered  propositions,  there  are  several  significant  differences  between  the  framework 
SLS  presented  in  this  chapter  and  the  existing  logical  framework  CLF,  including  the  presence  of 
positive  atomic  propositions,  the  introduction  of  traces  as  an  explicit  notation  for  partial  proofs, 
the  restriction  of  the  term  language  to  LF,  and  the  presence  of  equality  t  =T  s  as  a  proposition. 
In  this  section,  we  will  discuss  design  choices  that  were  made  in  terms  of  each  of  these  features, 
their  effects,  and  what  choices  could  have  been  made  differently. 

4.7.1  Pseudo-positive  atoms 

Unlike  SLS,  the  CLF  framework  does  not  include  positive  atomic  propositions.  Positive  atomic 
propositions  make  it  easy  to  characterize  the  synthetic  transitions  associated  with  a  particular 
rule.  For  example,  if  foo,  bar,  and  baz  are  all  linear  atomic  propositions,  then  the  presence  of 
a  rule  somerule  :  (foo  •  bar  >— ►  Obaz)  in  the  signature  is  associated  with  synthetic  transitions 
of  the  form  (\k;  A,  x:(foo)  eph,y:( bar)  eph)  ^  (\k;  A,  z:(baz)  eph).  The  presence  of  the  rule 
somerule  enables  steps  of  this  form,  and  every  step  made  by  focusing  on  the  rule  has  this  form. 

CLF  has  no  positive  propositions,  so  the  closest  analogue  that  we  can  consider  is  where 
foo,  bar,  and  baz  are  negative  propositions,  and  the  rule  jfoo  •  [bar  >— *■  O(jbaz)  appears  in  the 
signature.  Such  a  rule  is  associated  with  synthetic  transitions  of  the  form  (Tq  A,  A1;  A2)  ^ 
(\k;  A,  z: baz  ord)  such  that  'k;  Ax  \eph  h  (foo)  true  and  \k;  A2\eph  h  (bar)  true.  In  SLS,  it  is  a 
relatively  simple  syntactic  criterion  to  enforce  that  a  sequent  like  \k;  Ai  h  (foo)  true  can  only  be 
derived  if  Ai  matches  ax  foo;  we  must  simply  ensure  that  there  are  no  propositions  of  the  form 
foo  or  ...  -»  foo  in  the  signature  or  context.  (In  fact,  this  is  essentially  the  SLS  version  of 
the  subordination  criteria  that  allows  us  to  conclude  that  an  LF  type  is  only  inhabited  by  variables 
in  Section  4.2.)  Note  that,  in  full  OL3,  this  task  would  not  be  so  easy:  we  might  prove  (foo)  true 
indirectly  by  forward  chaining.  This  is  one  reason  why  association  of  traces  with  the  lax  modality 
is  so  important! 

When  it  is  the  case  that  T;  Ai  h  (foo)  true  can  only  be  derived  if  Ai  matches  x:foo,  we 
can  associate  the  rule  jfoo  •  ;  bar  >— >  oOKjbaz))  with  a  unique  synthetic  transition  of  the  form 
Ok;  A,x  Too  lvl,y: bar  Ivl')  (\k;  A,  z:( baz)  eph )  under  the  condition  that  neither  Ivl  or  Ivl'  are 
ord.  Negative  atomic  propositions  that  can  only  be  concluded  when  they  are  the  sole  member 
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of  the  context,  like  foo  and  bar  in  this  example,  can  be  called  pseudo-positive.  Pseudo-positive 
atoms  can  actually  be  used  a  bit  more  generally  than  SLS’s  positive  atomic  propositions.  A 
positive  atomic  proposition  is  necessarily  associated  with  one  of  the  three  judgments  ord,  eph, 
or  pers ,  but  pseudo-positive  propositions  can  associate  with  any  of  the  contexts.  This  gives 
pseudo-positive  atoms  in  CLF  or  SLS  the  flavor  of  positive  atomic  propositions  under  Andreoli’s 
atom  optimization  (Section  2.5.1). 

It  is,  of  course,  possible  to  consistently  associate  particular  pseudo-positive  propositions  with 
particular  modalities,  which  means  that  pseudo-positive  propositions  can  subsume  the  positive 
propositions  of  SLS.  The  trade-off  between  positive  and  pseudo-positive  propositions  could  be 
resolved  either  way.  By  including  positive  atomic  propositions,  we  made  SLS  more  complicated, 
but  in  a  local  way  -  we  needed  a  few  more  kinds  (the  kinds  prop  ord,  prop  lin,  and  prop  pers,  to 
be  precise)  and  a  few  more  rules.  On  the  other  hand,  if  we  used  pseudo-positive  propositions, 
the  notion  of  synthetic  transitions  would  be  intertwined  with  the  subordination-like  analysis  that 
enforces  their  correct  usage. 

4.7.2  The  need  for  traces 

One  of  the  most  important  differences  between  SLS  and  its  predecessors,  especially  CLF,  is  that 
traces  are  treated  as  first-class  syntactic  objects.  This  allows  us  to  talk  about  partial  proofs  and 
thereby  encode  our  earlier  money-store-battery-robot  example  as  a  trace  with  this  type: 

(x:(6bucks)  eph,  /: (battery  ^  Orobot)  eph,  g:(6bucks  >— ►  Obattery)  pers) 

(z:  (robot)  eph,  g:(6bucks  >— >  Obattery)  pers ) 

It  is  also  possible  to  translate  the  example  from  Chapter  2  as  a  complete  proof  of  the  following 
proposition: 


6bucks  •  [(battery  >— >  Orobot)  •  !(6bucks  ^  Obattery)  >— ►  Orobot 

Generally  speaking,  we  can  try  to  represent  a  trace  T  ::  (\&;  A)  ('IO  A')  as  a  closed  de¬ 
ductive  proof  A P.  (let  T  in  V}  of  the  proposition  (3\&.  «A)  >— *■  0(3'F/.  »A),6  where  the  pattern 
P  re-creates  the  initial  process  state  (\P;  A)  and  all  the  components  of  the  final  state  are  captured 
in  the  value  V.  The  problem  with  this  approach  is  that  the  final  proposition  is  under  no  partic¬ 
ular  obligation  to  faithfully  capture  the  structure  of  the  final  process  state.  This  can  be  seen  in 
the  example  above:  to  actually  capture  the  structure  of  the  final  process  state,  we  should  have 
concluded  robot  •  !(6bucks  >— >  Obattery)  instead  of  simply  robot.  It  is  also  possible  to  conclude 
any  of  the  following: 

1.  robot  •  !(6bucks  >— ►  Obattery)  •  !(6bucks  >— >  Obattery),  or 

2.  robot  •  j,(6bucks  >— ►  Obattery)  •  j(6bucks  >— >  Obattery),  or  even 

3.  robot  •  j(6bucks  •  !(battery  >—>  Orobot)  >— >  Orobot)  •  j,(  robot  >— *  Orobot). 

6The  notation  *A  fuses  together  all  the  propositions  in  the  context.  For  example,  if  A  =  ur.(ptph)  eP^  * 
x:A~  ord ,  y.B~  eph ,  z:C~  pers,  then  *A  =  p+ph  •  •  \B~  •  \C~ .  The  notation  3T'.T+  turns  all  the  bindings 

in  the  context  T'  =  ai:ri, . . . ,  an:r„  into  existential  bindings  3ai.T\  . . .  3an:Tn.A+ . 
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The  problem  with  encoding  traces  as  complete  proofs,  then,  is  that  values  cannot  be  forced  to 
precisely  capture  the  structure  of  contexts,  especially  when  dealing  with  variables  or  persistent 
propositions.  Cervesato  and  Scedrov  approach  this  problem  by  severely  restricting  the  logic  and 
changing  the  interpretation  of  the  existential  quantifier  so  that  it  acts  like  a  nominal  quantifier  on 
the  right  [CS09].  The  introduction  of  traces  allows  us  to  avoid  similar  restrictions  in  SLS. 

Despite  traces  being  proper  syntactic  objects,  they  are  not  first-class  concepts  in  the  theory: 
they  are  derived  from  focused  OL3  terms  and  interpreted  as  partial  proofs.  Because  hereditary 
substitution,  identity  expansion,  and  focalization  are  only  defined  on  complete  OL3  proofs,  these 
theorems  and  operations  only  apply  by  analogy  to  the  deductive  fragment  of  SLS;  they  do  not 
apply  to  traces.  In  joint  work  with  Deng  and  Cervesato,  we  considered  a  presentation  of  logic 
that  treats  process  states  and  traces  as  first-class  concepts  and  reformulates  the  usual  properties 
of  cut  and  identity  in  terms  of  coinductive  simulation  relations  on  process  states  [DCS  12].  We 
hope  that  this  work  will  eventually  lead  to  a  better  understanding  of  traces,  but  the  gap  remains 
quite  large. 

4.7.3  LF  as  a  term  language 

The  decision  to  use  LF  as  a  first-order  domain  of  quantification  rather  than  using  a  fully-dependent 
system  is  based  on  several  considerations.  First  and  foremost,  this  choice  was  sufficient  for  our 
purposes  here.  In  fact,  for  the  purposes  of  this  dissertation,  we  could  have  used  an  even  simpler 
term  language  of  simply-typed  LF  [Pfe08].  Two  other  logic  programming  interpreters  for  SLS- 
like  frameworks,  Lollimon  [LPPW05]  and  Ollibot  [PS09],  are  in  fact  based  on  simply-typed  term 
languages.  Canonical  LF  and  Spine  Form  LF  are,  at  this  point,  sufficiently  well  understood  that 
the  additional  overhead  of  fully  dependently-typed  terms  is  not  a  significant  burden,  and  there 
are  many  examples  beyond  the  scope  of  this  dissertation  where  dependent  types  are  useful. 

On  a  theoretical  level,  it  is  a  significant  simplification  when  we  restrict  ourselves  to  any  typed 
term  language  with  a  reasonable  notion  of  equality  and  simultaneous  substitution.  The  concep¬ 
tual  priority  in  this  chapter  is  clear:  Section  4.1  describes  LF  terms,  Section  4.2  describes  proof 
terms  as  a  fragment  of  focused  OL3,  and  Section  4.3  describes  a  coarser  equivalence  on  proof 
terms,  concurrent  equality.  If  the  domain  of  first-order  of  quantification  was  SLS  terms,  these 
three  considerations  would  be  mutually  dependent  -  we  would  need  to  characterize  concurrent 
equality  before  presenting  the  logic  itself.  For  the  purposes  of  showing  that  a  logical  framework 
can  be  carved  out  from  a  focused  logic  -  the  central  thesis  of  this  and  the  previous  two  chapters 
-  it  is  easiest  to  break  this  circular  dependency.  We  conjecture  that  this  complication  is  no  great 
obstacle,  but  our  approach  avoids  the  issue. 

On  a  practical  level,  there  are  advantages  to  using  a  well-understood  term  language.  The 
SLS  prototype  implementation  (Section  4.5)  uses  the  mature  type  reconstruction  engine  of  Twelf 
to  reconstruct  LF  terms.  Schack-Nielsen’s  implementation  of  type  reconstruction  for  Celf  is 
complicated  by  the  requirements  of  dealing  with  type  reconstruction  for  a  substructural  term 
language,  a  completely  orthogonal  consideration  [SNS08]. 

Finally,  it  is  not  clear  that  the  addition  of  full  CLF-like  dependency  comes  with  great  expres¬ 
sive  benefit.  In  LF  and  Twelf,  the  ability  to  use  full  dependent  types  is  critical  in  part  because  it 
allows  us  to  express  metatheorems  -  theorems  about  the  programming  languages  and  logics  we 
have  encoded,  like  progress  and  preservation  for  a  programming  language  or  cut  admissibility  for 
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a  logic.  Substructural  logical  frameworks  like  LLF  and  CLF,  in  contrast,  have  not  been  success¬ 
ful  in  capturing  metatheorems  with  dependent  types.  Instead,  metatheorems  about  substructural 
logics  have  thus  far  generally  been  performed  in  logical  frameworks  based  on  persistent  logics. 
Crary  proved  theorems  about  linear  logics  and  languages  in  LF  using  the  technique  of  explicit 
contexts  [CralO].  Reed  was  able  to  prove  cut  admissibility  for  linear  logic  and  preservation  for 
the  LLF  encoding  of  Mini-ML  in  HLF,  a  persistent  extension  to  LF  that  uses  an  equational  theory 
to  capture  the  structure  of  substructural  contexts  [Ree09a]. 
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Part  II 

Substructural  operational  semantics 
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Chapter  5 

On  logical  correspondence 


In  Part  I,  we  defined  SLS,  a  logical  framework  of  substructural  logical  specifications.  For  the 
purposes  of  this  dissertation,  we  are  primarily  interested  in  using  SLS  as  a  framework  for  spec¬ 
ifying  the  operational  semantics  of  programming  languages,  especially  stateful  and  concurrent 
programming  languages.  This  is  not  a  new  idea:  one  of  the  original  case  studies  on  CLF  spec¬ 
ification  described  the  semantics  of  Concurrent  ML  [CPWW02]  in  a  specification  style  termed 
substructural  operational  semantics,  or  SSOS,  by  Pfenning  [Pfe04]. 

The  design  space  of  substructural  operational  semantics  is  extremely  rich,  and  many  styles 
of  SSOS  specification  have  been  proposed  previously.  It  is  therefore  helpful  to  have  design 
principles  that  allow  us  to  both  classify  different  styles  of  presentation  and  predict  what  style(s) 
we  should  adopt  based  on  what  our  goals  are.  In  this  chapter,  we  sketch  out  a  classification 
scheme  for  substructural  operational  semantics  based  on  three  major  specification  styles: 

*  The  natural  semantics,  or  big-step  operational  semantics,  is  an  existing  and  well-known 
specification  style  (and  not  a  substructural  operational  semantics).  It  is  convenient  for  the 
specification  of  pure  programming  languages. 

*  The  ordered  abstract  machine  semantics  is  a  generalization  of  abstract  machine  semantics 
that  can  be  naturally  specified  in  SLS;  this  specification  style  naturally  handles  stateful  and 
parallel  programming  language  features  [PS09]. 

*  The  destination-passing  semantics  is  the  style  of  substructural  operational  semantics  first 
explored  in  CLF  by  Cervesato  et  al.  [CPWW02].  It  allows  for  the  natural  specification  of 
features  that  incorporate  communication  and  non-local  transfer  of  control. 

Each  of  these  three  styles  is,  in  a  formal  sense,  more  expressive  than  the  last:  there  are  au¬ 
tomatic  and  provably-correct  transformations  from  the  less  expressive  styles  (natural  seman¬ 
tics  and  ordered  abstract  machines)  to  the  more  expressive  styles  (ordered  abstract  machines 
and  destination-passing,  respectively).  Our  investigation  of  provably-correct  transformations  on 
SLS  specifications  therefore  justifies  our  classification  scheme  for  SSOS  specifications.  We  call 
this  idea  the  logical  correspondence,  and  it  is  the  focus  of  this  refinement  of  our  central  thesis: 

Thesis  (Part  II):  A  logical  framework  based  on  a  rewriting  interpretation  of  sub¬ 
structural  logic  supports  many  styles  of  programming  language  specification.  These 
styles  can  be  formally  classified  and  connected  by  considering  general  transforma¬ 
tions  on  logical  specifications. 
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In  this  introductory  chapter,  we  will  outline  our  use  of  logical  correspondence  and  connect  it 
to  previous  work.  The  development  of  the  logical  correspondence  as  presented  in  this  chapter, 
as  well  as  the  operationalization  and  defunctionalization  transformations  presented  in  the  next 
chapter,  represent  joint  work  with  Ian  Zemy. 


5.1  Logical  correspondence 


As  stated  above,  we  will  primarily  discuss  and  connect  three  different  styles  that  are  used  for 
specifying  the  semantics  of  programming  languages.  The  two  styles  of  SSOS  semantics,  ordered 
abstract  machines  and  destination-passing  semantics,  are  considered  because  they  do  a  good  job 
of  subsuming  existing  work  on  substructural  operational  semantics,  a  point  we  will  return  to  at 
the  end  of  this  section.  We  consider  natural  semantics,  a  high-level,  declarative  style  of  spec¬ 
ification  that  was  inspired  by  Plotkin’s  structural  operational  semantics  (SOS)  [Plo04,  Kah87], 
because  natural  semantics  specifications  are  the  easiest  style  to  connect  to  substructural  oper¬ 
ational  semantics.  While  we  hope  to  extend  the  logical  correspondence  to  other  specification 
styles,  such  extensions  are  outside  the  scope  of  this  dissertation. 

While  Kahn  et  al.  defined  the  term  broadly,  natural  semantics  has  been  consistently  connected 
with  the  big-step  operational  semantics  style  discussed  in  the  introduction,  where  the  judgment 
e  (l  v  expresses  that  the  the  expression  e  evaluates  to  the  value  v: 


Xx.e  1/  Xx.e 


ev/lam 


e\  (1  Xx.e 


e2  1/  v2  [v2/x]ei\-v 
e1e2\v 


ev/app 


Early  work  on  natural  semantics  emphasized  a  dual  interpretation  of  specifications.  The  pri¬ 
mary  interpretation  of  natural  semantics  specifications  was  operational.  Natural  semantics  were 
implemented  in  the  (non-logical)  specification  framework  TYPOL  that  compiled  natural  seman¬ 
tics  specifications  into  Prolog  programs;  the  backward-chaining  Prolog  interpreter  then  gave  an 
operational  semantics  to  the  specification  [CDD+85].  It  is  also  possible  to  view  natural  seman¬ 
tics  specifications  as  inductive  definitions;  this  interpretation  allows  proofs  about  terminating 
evaluations  to  be  performed  by  induction  over  the  structure  of  a  natural  semantics  derivation 
[CDDK86], 

The  operational  interpretation  of  natural  semantics  assigns  a  more  specific  meaning  to  expres¬ 
sions  than  the  inductive  definition  does.  For  example,  the  rule  ev/app  as  an  inductive  definition 
does  not  specify  whether  e\  or  e2  should  be  evaluated  in  some  particular  order  or  in  parallel; 
the  TYPOL-to-Prolog  compiler  could  have  reasonably  made  several  choices  in  such  a  situation. 
More  fundamentally,  the  logic  programming  interpretation  inserts  semantic  information  into  a 
natural  semantics  specification  that  is  not  present  when  we  view  the  specification  as  an  inductive 
definition  (though  it  might  be  just  as  accurate  to  say  that  the  logic  programming  interpretation 
preserves  meaning  that  is  lost  when  the  specification  is  viewed  as  an  inductive  definition).  The 
interpretation  of  the  rules  above  as  an  inductive  definition  does  not  allow  us  to  distinguish  non¬ 
termination  (searching  forever  for  a  v  such  that  e  1/  v)  from  failure  (concluding  finitely  that  there 
is  no  v  such  that  e  (1  v).  The  logic  programming  interpreter,  on  the  other  hand,  will  either  suc¬ 
ceed,  run  forever,  or  give  up,  thereby  distinguishing  two  cases  that  are  indistinguishable  when 
the  specification  is  interpreted  as  an  inductive  definition. 
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Natural  semantics 


Figure  5.1:  Major  transformations  on  SLS  specifications 


We  will  present  a  transformation  called  operationalization  from  SLS-encoded  natural  se¬ 
mantics  specifications  into  ordered  abstract  machines.  The  transformation  from  natural  seman¬ 
tics  to  ordered  abstract  machines  is  only  an  instance  of  a  much  more  general  picture.  The  ba¬ 
sic  idea  of  operationalization  is  to  model  backward-chaining  logic  programming  (in  the  sense 
of  Section  4.6.1)  as  forward-chaining  logic  programming  (in  the  sense  of  Section  4.6.2).  The 
transformation  reifies  and  exposes  the  internal  structure  of  backward-chaining  search,  making 
evaluation  order  and  parallelism  explicit.  That  exposed  structure  enables  us  to  reason  about  the 
difference  between  non-termination  and  failure.  In  turn,  ordered  abstract  machine  specifications 
can  be  transformed  into  destination-passing  specifications  by  a  transformation  called  destination¬ 
adding,  which  reifies  and  exposes  control  flow  information  that  is  implicit  in  the  ordered  context 
of  an  ordered  abstract  machine.  Destination-passing  specifications  can  then  be  transformed  into 
a  collecting  semantics  by  approximation ,  which  lets  us  obtain  program  analyses  like  control  flow 
analysis.  The  operationalization  and  destination-adding  transformations  have  been  implemented 
within  the  SLS  prototype.  Approximation,  on  the  other  hand,  requires  significant  input  from  the 
user  and  so  is  less  reasonable  to  implement  as  an  automatic  transformation. 

These  major  transformations  are  presented  graphically  in  Figure  5.1  in  terms  of  the  three 
classification  styles  -  natural  semantics,  ordered  abstract  machines,  and  destination-passing  - 
discussed  above.  There  are  many  other  smaller  design  decisions  that  can  be  made  in  the  creation 
of  a  substructural  operational  semantics,  two  of  which  are  represented  in  this  figure.  One  dis¬ 
tinction,  destination-passing  with  linear  continuations  versus  persistent  continuations,  has  to  do 
with  whether  it  is  possible  to  return  to  a  previous  point  in  a  program’s  execution  and  is  discussed, 
along  with  first-class  continuations,  in  Section  7.2.4. 

Another  distinction  is  between  nested  and  flat  specifications.  This  distinction  applies  to  all 
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xi:(p2(c))  ord,  x2:(pi(c))  ord ,  x3:(\/x.  pi(x)  >->  {p2(.x)  >-»•  {p3(a:)}})  ord,  X4:(p3(c)  >->•  {P4})  ord 

xi:(p2(c))  ord ,  x5:(p2(c)  >-»•  (p3(c)})  ord,  X4:(p3(c)  >->  {P4})  ord 

x6:(p3(c))  ord,  x4:(p3(c)  >->  {p4})  ord 
^  X7:(p4)  ord 


Figure  5.2:  Evolution  of  a  nested  SLS  process  state 


concurrent  SLS  specifications,  not  just  those  that  specify  substructural  operational  semantics. 
Flat  specifications  include  rewriting  rules  (p3  •  ...»  pn  >—>  {qi  •  ...  •  qm})  where  the  head  of 
the  rule  {q3  •  . . .  •  qm}  contains  only  atomic  propositions.  Nested  SLS  specifications,  on  the 
other  hand,  may  contain  rules  in  the  conclusions  of  rules;  when  the  rule  fires,  the  resulting  pro¬ 
cess  state  contains  the  rule.  A  rule  A+  >— >•  { B+}  in  the  context  can  only  fire  if  a  piece  of  the 
context  matching  A+  appears  to  its  left,  so  (x:(pi(c)),  y.( pi(c)  (p2(c)})  ord)  ^  (z:(p2(c))), 
whereas  (?/:(p1(c)  >— >  { p2 (c) })  ord ,  x:(pi(c)))  7^.  Another  example  of  the  evolution  of  a  pro¬ 
cess  state  with  nested  rules  is  given  in  Figure  5.2.  (Appendix  A  gives  a  summary  of  the  notation 
used  for  process  states.)  The  choice  of  nested  versus  flat  specification  does  not  impact  expres¬ 
siveness,  but  it  does  influence  our  ability  to  read  specifications  (opinions  differ  as  to  which  style 
is  clearer),  as  well  as  our  ability  to  reason  about  specifications.  The  methodology  of  describing 
the  invariants  of  substructural  logical  specifications  with  generative  signatures,  which  we  intro¬ 
duced  in  Section  4.4  and  which  we  will  consider  further  in  Chapter  9,  seems  better- adapted  to 
describing  the  invariants  of  flat  specifications. 

Other  distinctions  between  SSOS  specifications  can  be  understood  in  terms  of  nondetermin- 
istic  choices  that  can  be  made  by  the  various  transformations  we  consider.  For  example,  the 
operationalization  transformation  can  produce  ordered  abstract  machines  that  evaluate  subcom¬ 
putations  in  parallel  or  in  sequence.  In  general,  one  source  specification  (a  natural  semantics  or 
an  ordered  abstract  machine  specification)  can  give  rise  to  several  different  target  specifications 
(ordered  abstract  machine  specifications  or  destination-passing  specifications).  The  correctness 
of  the  transformation  then  acts  as  a  simple  proof  of  the  equivalence  of  the  several  target  spec¬ 
ifications.  (The  prototype  implementations  of  these  transformations  only  do  one  thing,  but  the 
nondeterministic  transformations  we  prove  correct  would  justify  giving  the  user  a  set  of  ad¬ 
ditional  controls  -  for  instance,  the  user  could  make  the  operationalization  transformation  be 
tail-call-optimizing  or  not  and  parallelism-enabling  or  not.) 

The  nondeterministic  choices  that  transformations  can  make  give  us  a  rigorous  vocabulary 
for  describing  choices  that  otherwise  seem  unmotivated.  An  example  of  this  can  be  found  in 
the  paper  that  introduced  the  destination-adding  and  approximation  transformations  [SPlla]. 
In  that  article,  we  had  to  motivate  an  ad  hoc  change  to  the  usual  abstract  machine  semantics. 
In  this  dissertation,  by  the  time  we  encounter  a  similar  specification  in  Chapter  8,  we  will  be 
able  to  see  that  this  change  corresponds  to  omitting  tail-recursion  optimization  in  the  process  of 
operationalization. 

Our  taxonomy  does  a  good  job  of  capturing  the  scope  of  existing  work  on  SSOS  specifica¬ 
tions.  Figure  5.3  shows  previous  published  work  on  SSOS  specifications  mapped  onto  a  version 
of  the  diagram  from  Figure  5.1.  With  the  possible  exception  of  certain  aspects  of  the  SSOS  pre- 
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sentation  in  Pfenning’s  course  notes  [Pfel2e],  the  taxonomy  described  above  captures  the  scope 
of  previous  work. 


Ordered  Destination-passing 

abstract  machines  (linear  continuation)  (persistent  continuation) 


(nested) 


(flat) 


[Pfe04] 

[PS09] 

[SPlla] 


- — [CPWW02] — ► 

- - [SN07] - ► 

Increasing  expressiveness 


Figure  5.3:  Classification  of  existing  work  on  SSOS  specifications 


5.2  Related  work 

This  part  of  the  dissertation  draws  from  many  different  sources  of  inspiration.  In  this  section,  we 
survey  this  related  work  and,  where  applicable,  outline  how  our  use  of  logical  correspondence 
differs  from  existing  work. 

Partiality  in  deductive  computation 

The  genesis  of  the  operationalization  transformation  discussed  in  Chapter  6  can  be  found  in 
the  treatment  of  the  operational  semantics  of  LF  in  Tom  Murphy  VII’s  dissertation  [Mur08]; 
this  treatment  can  be  seen  as  a  synthesis  of  the  operational  interpretation  of  natural  semantics 
explored  in  Clement’s  et  al.’s  early  work  on  natural  semantics  in  TYPOL  and  the  approach  to 
theorem  proving  pioneered  by  Twelf  [PS  99b]. 

In  his  dissertation,  Murphy  described  a  natural  semantics  for  Lambda  5,  a  distributed  pro¬ 
gramming  language,  and  encoded  that  specification  in  Twelf.  He  then  wanted  to  interpret  that 
natural  semantics  as  an  operational  semantics  for  Lambda  5  in  the  style  of  Clement  et  al.,  which 
is  a  natural  application  of  Twelf ’s  logic  program  interpretation  [MP92].  However,  Murphy  also 
wanted  to  prove  a  safety  property  for  his  language  in  Twelf,  and  the  usual  approach  to  theorem 
proving  in  Twelf  involves  treating  specifications  as  inductive  definitions.  As  discussed  above, 
natural  semantics  do  not  distinguish  non-termination  (which  is  safe)  from  failure  (which  indi¬ 
cates  underspecification  and  is  therefore  unsafe). 

Theorem  proving  in  Twelf  involves  interpreting  proofs  as  backward  chaining  logic  programs 
that  do  not  backtrack  (recall  that  we  called  this  the^ta  resolution  interpretation  in  Section  4.6.1). 
Murphy  was  able  to  use  the  checks  Twelf  performs  on  proofs  to  describe  a  special  purpose  par¬ 
tiality  directive.  If  a  logic  program  passed  his  series  of  checks,  Murphy  could  conclude  that 
well-moded,  flat  resolution  would  never  fail  and  never  backtrack,  though  it  might  diverge.  This 
check  amounted  to  a  proof  of  safety  (progress  and  preservation)  for  the  operational  interpretation 
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of  his  natural  semantics  via  flat  resolution.  It  seems  that  every  other  existing  proof  of  safety1  for 
a  big-step  operational  semantics  is  either  classical  (like  Leroy  and  Grail’s  approach,  described 
below)  or  else  depends  on  a  separate  proof  of  equivalence  with  a  small-step  operational  seman¬ 
tics. 

Murphy’s  proof  only  works  because  his  formulation  of  Lambda  5  is  intrinsically  typed ,  mean¬ 
ing  that,  using  the  facilities  provided  by  LF’s  dependent  types,  he  enforced  that  only  well- typed 
terms  could  possibly  be  evaluated.  (His  general  proof  technique  should  apply  more  generally,  but 
it  would  take  much  more  work  to  express  the  check  in  Twelf.)  The  operationalization  transforma¬ 
tion  is  a  way  to  automatically  derive  a  correct  small-step  semantics  from  the  big-step  semantics 
by  making  the  internal  structure  of  a  backward  chaining  computation  explicit  as  a  specification 
in  the  concurrent  fragment  of  SLS.  Having  made  this  structure  accessible,  we  can  explicitly  rep¬ 
resent  complete,  unfinished,  and  stuck  (or  failing)  computations  as  concurrent  traces  and  reason 
about  these  traces  with  a  richer  set  of  tools  than  the  limited  set  Murphy  successfully  utilized. 

A  coinductive  interpretation 

Murphy  proved  safety  for  a  natural  semantics  specification  by  recovering  the  original  operational 
interpretation  of  natural  semantics  specifications  as  logic  programs  and  then  using  Twelf ’s  facili¬ 
ties  for  reasoning  about  logic  programs.  Leroy  and  Grail,  in  [LG09],  suggest  a  novel  coinductive 
interpretation  of  natural  semantics  specifications.  Coevaluation  e  Jjco  v  is  defined  as  the  greatest 
fixed  point  of  the  following  rules: 

e\  -(lco  Xx.e  e2  -11“  v2  [v2/x\e  v 
Xx.e  jJ.co  Xx.e  e\  e2  -(lco  v 

Aside  from  the  co  annotation  and  the  different  interpretation,  these  rules  are  syntactically  identi¬ 
cal  to  the  natural  semantics  above  that  were  implicitly  given  an  inductive  interpretation. 

Directly  reinterpreting  the  inductive  specification  as  a  coinductive  specification  doesn’t  quite 
produce  the  right  result  in  the  end.  For  some  diverging  terms  like  u  =  (Xx.  x  x)  (Xx.xx),  we 
can  derive  u  J|“  e  for  any  expression  e,  including  expressions  that  are  not  values  and  expres¬ 
sions  with  no  relation  to  the  original  term.  Conversely,  there  are  diverging  terms  Div  such  that 
Div  ))“  e  is  not  derivable  for  any  e.2  As  a  result,  Leroy  and  Grail  also  give  a  coinductive  defini¬ 
tion  of  diverging  terms  e  JJ.°°  that  references  the  inductively-defined  evaluation  judgment  e  -1)  v: 

ei  J|°°  eityvi  e2  J|°°  e±  -(1  Xx.  e  e2  JJ- v2  [v2/x\e  JJ-00 
ei  e2  -(1°°  ei  e2  -(l00  e\  e2  -(l00 

Now  diverging  expressions  are  fully  characterized  as  derivations  for  which  e  -IJ.00  is  derivable  with 
an  infinite  derivation  tree.  With  this  definition,  Leroy  and  Grail  prove  a  type  safety  property:  if  e 
has  type  r,  then  either  e  JJ.  v  or  e  JJ.°°.  However,  the  disjunctive  character  of  this  theorem  means 
that  a  constructive  proof  of  type  safety  would  be  required  to  take  a  typing  derivation  e  :  r  as 

'Progress  in  particular  is  the  theorem  of  concern:  proving  preservation  for  a  big-step  operational  semantics  is 
straightforward. 

2Leroy  and  Grail  discuss  a  counterexample  due  to  Filinski:  Div  =  YFx,  where  Y  is  the  fixed-point  combinator 

A/.  (Ax.  /  (Xv.  ( x  x)  v))  (Ax.  /  (Xv.  (x  x)  v))  and  F  is  A/.  Ax.  (A g.  A y.  g  y)  (/  x)  [LG09]. 
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input  and  produce  as  output  either  a  proof  of  termination  e  JJ.  v  or  a  proof  of  divergence  e 
This  implies  that  a  constructive  type  safety  theorem  would  need  to  decide  termination,  and  so  it 
is  unsurprising  that  type  safety  is  proved  classically  by  Leroy  and  Grail. 

We  suggest  that  the  operationalization  transformation,  seen  as  a  logical  extension  to  Mur¬ 
phy’s  methodology,  is  superior  to  the  coinductive  (re)interpretation  as  a  way  of  understanding  the 
behavior  of  diverging  evaluations  in  the  natural  semantics.  Both  approaches  reinterpret  natural 
semantics  in  an  operational  way,  but  the  operationalization  transformation  gives  us  a  satisfactory 
treatment  of  diverging  terms  without  requiring  the  definition  of  an  additional  coinductive  judg¬ 
ment  e  JJ.°°.  And  even  with  the  addition  of  the  coinductively  defined  judgment  e  4^°°,  coinductive 
big-step  operational  semantics  have  significant  issues  handling  nonde  termini  Stic  languages,  a 
point  that  we  will  elaborate  on  in  Section  6.4. 

The  functional  correspondence 

The  ordered  abstract  machine  that  results  from  our  operationalization  transformation  corresponds 
to  a  standard  abstract  machine  model  (a  statement  that  is  made  precise  Section  6.3).  In  this  sense, 
the  logical  correspondence  has  a  great  deal  in  common  with  the  functional  correspondence  of 
Ager,  Danvy,  Midtgaard,  and  others  [ABDM03,  ADM04,  ADM05,  Dan08,  DMMZ12]. 

The  goal  of  the  functional  correspondence  is  to  encode  various  styles  of  semantic  specifica¬ 
tions  (natural  semantics,  abstract  machines,  small-step  structural  operational  semantics,  environ¬ 
ment  semantics,  etc.)  as  functional  programs.  It  is  then  possible  to  show  that  these  styles  can 
be  related  by  off-the-shelf  and  fully  correct  transformations  on  functional  programs.  The  largest 
essential  difference  between  the  functional  and  logical  correspondences,  then,  is  that  the  func¬ 
tional  correspondence  acts  on  functional  programs,  whereas  the  logical  correspondence  acts  on 
specifications  encoded  in  a  logical  framework  (in  our  case,  the  logical  framework  SLS). 

The  functional  correspondence  as  given  assumes  that  semantic  specifications  are  adequately 
represented  as  functional  programs;  the  equivalence  of  the  encoding  and  the  “on  paper”  se¬ 
mantics  is  an  assumed  prerequisite.  In  contrast,  by  basing  the  logical  correspondence  upon  the 
SLS  framework,  we  make  it  possible  to  reason  formally  and  precisely  about  adequate  representa¬ 
tion  by  the  methodology  outlined  in  Section  4.4.  The  functional  correspondence  also  shares  some 
of  the  coinductive  reinterpretation’s  difficulties  in  dealing  with  nondeterministic  and  parallel  ex¬ 
ecution.  The  tools  we  can  use  to  express  the  semantics  are  heavily  influenced  by  the  semantics 
of  the  host  programming  language,  and  so  the  specifics  of  the  host  language  can  make  it  dra¬ 
matically  more  or  less  convenient  to  encode  nondeterministic  or  parallel  programming  language 
features. 

Transformation  on  specifications 

Two  papers  by  Hannan  and  Miller  [HM92]  and  Ager  [Age04]  are  the  most  closely  related  to 
our  operationalization  transformation.  Both  papers  propose  operationalizing  natural  semantics 
specifications  as  abstract  machines  by  provably  correct  and  general  transformations  on  logical 
specifications  (in  the  case  of  Hannan  and  Miller)  or  on  specifications  in  the  special-purpose 
framework  of  L-attributed  natural  semantics  (in  the  case  of  Ager).  A  major  difference  in  this 
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case  is  that  both  lines  of  work  result  in  deductive  specifications  of  abstract  machines.  Our  trans¬ 
lation  into  the  concurrent  fragment  of  SLS  has  the  advantage  of  exploiting  parallelism,  and  also 
opens  up  specifications  to  the  modular  inclusion  of  stateful  and  concurrent  features,  as  we  will 
foreshadow  in  Section  5.3  below  and  discuss  further  in  Section  6.5. 

The  transformation  we  call  defunctionalization  in  Section  6.2,  as  well  as  its  inverse,  refunc¬ 
tionalization,  makes  appearances  throughout  the  literature  under  various  names.  The  transfor¬ 
mation  is  not  strictly  analogous  to  Reynold’s  defunctionalization  transformations  on  functional 
programs  [Rey72],  but  it  is  based  upon  the  same  idea:  we  take  an  independently  transitioning 
object  like  a  function  (or,  in  our  case,  a  negative  proposition  in  the  process  state)  and  turn  it  into 
data  and  an  application  function.  In  our  case,  the  data  is  a  positive  atomic  proposition  in  the 
process  state  and  the  application  function  is  a  rule  in  the  signature  that  explains  how  the  positive 
atomic  proposition  can  participate  in  transitions.  The  role  of  defunctionalization  within  our  work 
on  the  logical  correspondence  is  very  similar  to  the  role  of  Reynold’s  defunctionalization  within 
work  on  the  functional  correspondence  [Dan08].  Defunctionalization  is  related  to  the  process  of 
representing  a  process  calculus  object  in  the  chemical  abstract  machine  [BB90].  It  is  also  related 
to  a  transformation  discussed  by  Miller  in  [Mil02]  in  which  new  propositions  are  introduced  and 
existentially  quantified  locally  in  order  to  hide  the  internal  states  of  processes. 

The  destination-adding  transformation  described  in  Section  7.1  closely  follows  the  contours 
of  work  by  Morrill,  Moot,  and  Piazza  on  translating  ordered  logic  into  linear  logic  [Mor95, 
MP01].  That  work  is,  in  turn,  based  on  van  Benthem’s  relational  models  of  ordered  logic  [vB91]. 
Their  transformations  handle  a  more  uniform  logical  fragment,  whereas  the  transformation  we 
describe  handles  a  specific  (though  useful)  fragment  of  the  much  richer  logic  of  SLS  proposi¬ 
tions. 

Related  work  for  program  analysis  methodology  covered  in  Chapter  8  is  discussed  further  in 
Section  8.6. 

Abstract  machines  in  substructural  logic 

With  the  exception  of  our  encodings  of  natural  semantics,  all  our  work  on  the  logical  corre¬ 
spondence  takes  place  in  the  concurrent  (rewriting-like)  fragment  of  SLS.  This  is  consistent  with 
the  tradition  of  substructural  operational  semantics,  but  there  is  another  tradition  of  encoding 
abstract  machines  in  substructural  logical  frameworks  using  frameworks  that  can  be  seen  as  de¬ 
ductive  fragments  of  SLS.  The  resulting  logical  specifications  are  functionally  similar  to  the 
big-step  abstract  machine  specifications  derived  by  Hannan  and  Miller,  but  like  SSOS  specifica¬ 
tions  they  can  take  advantage  of  the  substructural  context  for  the  purpose  of  modular  extension 
(as  discussed  in  the  next  section). 

This  line  of  work  dates  back  to  Cervesato  and  Pfenning’s  formalization  of  Mini-ML  with  ref¬ 
erences  in  Linear  LF  [CP02];  a  mechanized  preservation  property  for  this  specification  was  given 
by  Reed  [Ree09a].  An  extension  to  this  technique,  which  uses  Polakow’s  Ordered  LF  to  repre¬ 
sent  control  stacks,  is  presented  by  Felty  and  Momigliano  and  used  to  mechanize  a  preservation 
property  [FM12].  Both  these  styles  of  deductive  big-step  specification  are  useful  for  creating 
language  specifications  that  can  be  modularly  extended  with  stateful  and  control  features,  but 
neither  does  a  good  job  with  modular  specification  of  concurrent  or  parallel  features. 

Both  of  these  specifications  should  be  seen  as  different  points  in  a  larger  story  of  logical 
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Figure  5.4:  Using  the  logical  correspondence  for  modular  language  extension 


correspondence  that  we  are  only  beginning  to  explore  in  this  dissertation.  The  use  of  the  ordered 
context  in  Felty  and  Momigliano’s  specification,  in  particular,  is  exactly  analogous  to  the  non¬ 
parallel  ordered  abstract  machines  in  Chapter  6.  We  therefore  posit  the  existence  of  a  general 
transformation,  similar  to  operationalization,  that  connects  the  two. 


5.3  Transformation  and  modular  extension 

All  the  related  work  described  in  the  previous  section  is  concerned  with  correspondence.  That 
is,  the  authors  were  interested  in  the  process  of  transforming  natural  semantics  into  abstract 
machines  and  in  the  study  of  abstract  machines  that  are  in  the  image  of  this  translation.  It 
is  possible  to  view  the  logical  correspondence  in  the  same  light,  but  that  is  not  how  logical 
correspondence  will  be  used  in  this  document.  Indeed,  it  is  not  our  intent  to  advocate  strongly 
for  the  use  of  natural  semantics  specifications  at  all;  recall  that  natural  semantics  were  used  to 
illustrate  problems  with  ftcw-modularity  in  language  specification  in  Section  1.2. 

Instead,  we  will  view  the  transformations  illustrated  as  arrows  in  Figure  5.1  in  an  expressly  di¬ 
rected  fashion,  operationalizing  natural  semantics  as  ordered  abstract  machines  and  transforming 
ordered  abstract  machines  into  destination-passing  semantics  without  giving  too  much  thought 
to  the  opposite  direction.  In  the  context  of  this  dissertation,  the  reason  that  transformations 
are  important  is  that  they  expose  more  of  the  semantics  to  manipulation  and  modular  exten¬ 
sion.  The  operationalization  transformation  in  Chapter  7  exposes  the  order  of  evaluation,  and  the 
SLS  framework  then  makes  it  possible  to  modularly  extend  the  language  with  stateful  features: 
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this  is  exactly  what  we  demonstrated  in  Section  1.2  and  will  demonstrate  again  in  Section  6.5. 
The  destination- adding  transformation  exposes  the  control  structure  of  programs;  this  makes  it 
possible  to  discuss  first-class  continuations  as  well  as  the  interaction  of  parallelism  and  failure 
(though  not  necessarily  at  the  same  time,  as  discussed  in  Section  7.2.4).  The  control  structure 
exposed  by  the  destination-adding  transformation  is  the  basis  of  the  control  flow  analysis  in 
Chapter  8. 

In  the  next  three  chapters  that  make  up  Part  II  of  this  dissertation,  we  will  present  natural 
semantics  specifications  and  substructural  operational  semantics  specifications  in  a  number  of 
styles.  We  do  so  with  the  confidence  that  these  specifications  can  be  automatically  transformed 
into  the  “lowest  common  denominator”  of  flat  destination-passing  specifications.  Certainly,  this 
means  that  we  should  be  unconcerned  about  using  a  higher-level  style  such  as  the  ordered  ab¬ 
stract  machine  semantics,  or  even  natural  semantics,  when  that  seems  appropriate.  If  we  need  the 
richer  structure  of  destination-passing  semantics  later  on,  the  specification  can  be  automatically 
transformed.  Using  the  original,  high-level  specifications,  the  composition  of  different  language 
features  may  appear  to  be  a  tedious  and  error-prone  process  of  revision,  but  after  transforma¬ 
tion  into  the  lowest-common-denominator  specification  style,  composition  can  be  performed  by 
simply  concatenating  the  specifications. 

Taking  this  idea  to  its  logical  conclusion,  Appendix  B  presents  the  hybrid  operational  se¬ 
mantics  specification  mapped  out  in  Figure  5.4.  Individual  language  features  are  specified  at  the 
highest-level  specification  style  that  is  reasonable  and  then  automatically  transformed  into  a  sin¬ 
gle  compatible  specification  by  the  transformations  implemented  in  the  SLS  prototype.  In  such 
a  specification,  a  change  to  a  high-level  feature  (turning  call-by-value  functions  to  call-by-name 
functions,  for  instance)  can  be  made  at  the  level  of  natural  semantics  and  then  propagated  by 
transformation  into  the  common  (destination-passing  style)  specification. 
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Chapter  6 

Ordered  abstract  machines 


This  chapter  centers  around  two  transformations  on  logical  specifications.  Taken  together,  the 
operationalization  transformation  (Section  6.1)  and  the  defunctionalization  transformation  (Sec¬ 
tion  6.2)  allow  us  to  establish  the  logical  correspondence  between  the  deductive  SLS  specification 
of  a  natural  semantics  and  the  concurrent  SLS  specification  of  an  abstract  machine. 

Natural  semantics  specifications  are  common  in  the  literature,  and  are  also  easy  to  encode 
in  either  the  deductive  fragment  of  SLS  or  in  a  purely  deductive  logical  framework  like  LF.  We 
will  continue  to  use  the  natural  semantics  specification  of  call-by-value  evaluation  for  the  lambda 
calculus  as  a  running  example: 


Xx.e  jj-  Xx.e 


ev/lam 


e\  JJ.  Xx.e 


e2fyv2  [v2/x)e^v 
ei  e2  v 


ev/app 


Natural  semantics  are  a  big-step  semantics:  the  judgment  e  jj.  v  describes  the  relationship  be¬ 
tween  an  initial  expression  e  and  the  value  v  to  which  it  will  eventually  evaluate. 

The  alternative  to  a  big-step  semantics  is  a  small-step  semantics,  which  describes  the  rela¬ 
tionship  between  one  intermediate  state  of  a  computation  and  another  intermediate  state  after  a 
single  transition.  One  form  of  small-step  semantics  is  a  structural  operational  semantics  (SOS) 
specification  [Plo04].  The  SOS  specification  of  call-by-value  evaluation  for  the  lambda  calculus 
is  specified  in  terms  of  two  judgments:  v  value,  which  expresses  that  v  is  a  value  that  is  not  ex¬ 
pected  to  make  any  more  transitions,  and  e±  (->•  e2,  which  expresses  that  e±  transitions  to  e2  by 
reducing  a  (3- redex. 


ei  i — y  ej  e\  value  e2  i— >- e'2  uvalue 

Xx. e  value  e\  e2  H >  ej  e2  e\  e2  H >  e\  e'2  (Xx.e)v  ^  [v / x]e 

Abstract  machine  semantics  are  another  important  small-step  semantics  style.  The  most  well- 
known  abstract  semantics  is  almost  certainly  Landin’s  SECD  machine  [Lan64],  though  our  ab¬ 
stract  machine  presentation  below  is  much  closer  to  Danvy’s  SC  machine  from  [Dan03]  and 
Harper’s  /Cjnat^}  system  from  [Harl2,  Chapter  27].  This  abstract  machine  semantics  is  de¬ 
fined  in  terms  of  states  s.  The  state  s  =  k  >  e  represents  the  expression  e  being  evaluated  on 
top  of  the  stack  k,  and  the  state  s  =  k  < \v  represents  the  value  v  being  returned  to  the  stack 
k.  Stacks  k  are  have  the  form  ((. . .  (halt;  /)); . . .);  fn)  -  they  are  left-associative  sequences  of 
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frames  /  terminated  by  halt,  where  halt  >  e  is  the  initial  state  in  the  evaluation  of  e  and  halt  <1  v 
is  a  final  state  that  has  completed  evaluating  to  a  value  v.  Each  frame  /  either  has  the  form 
□  e2  (an  application  frame  waiting  for  an  evaluated  function  to  be  returned  to  it)  or  the  form 
{Xx.e)  □  (an  application  frame  with  an  evaluated  function  waiting  for  an  evaluated  value  to  be 
returned  to  it).  Given  states,  stacks,  and  frames,  we  can  define  a  “classical”  abstract  machine  for 
call-by- value  evaluation  of  the  lambda  calculus  as  a  transition  system  with  four  transition  rules: 


absmachine/lam 

absmachine/app 

absmachine/appl 

absmachine/app2 


k  >  Xx.e  i — ^  k  <]  Xx.e 

k>e  i  e2  i — ^  (fc;De2)>ei 

(fc;  □  e2)  <3  Xx.e  (fc;  (Xx.e)  □)  >  e2 

(k]  {Xx.e)  □)  <  V2  i-)-  k  >  [u2/x]e 


The  operational  intuition  for  these  rules  is  precisely  the  same  as  the  operational  intuition  for 
the  rewriting  rules  given  in  Section  1.2.  This  is  not  coincidental:  the  SLS  specification  from 
the  introduction  adequately  encodes  the  transition  system  s  t— >  s'  defined  above,  a  point  that  we 
will  make  precise  in  Section  6.3.  The  SLS  specification  from  the  introduction  is  also  the  result 
of  applying  the  operationalization  and  defunctionalization  transformations  to  the  SLS  encoding 
of  the  natural  semantics  given  above.  Therefore,  these  two  transformations  combined  with  the 
adequacy  arguments  at  either  end  constitute  a  logical  correspondence  between  natural  semantics 
and  abstract  machines. 

As  discussed  in  Section  5.3,  it  is  interesting  to  put  existing  specification  styles  into  logical 
correspondence,  but  that  is  not  our  main  reason  for  investigating  logical  correspondence  in  the 
context  of  this  thesis.  Rather,  we  are  primarily  interested  in  exploring  the  set  of  programming 
language  features  that  can  be  modularly  integrated  into  a  transformed  SLS  specification  and  that 
could  not  be  integrated  into  a  natural  semantics  specification  in  a  modular  fashion.  In  Section  6.5 
we  explore  a  selection  of  these  features,  including  mutable  storage,  call-by-need  evaluation,  and 
recoverable  failure. 


6.1  Logical  transformation:  operationalization 

The  intuition  behind  operationalization  is  rather  simple:  we  examine  the  structure  of  backward 
chaining  and  then  specify  that  computational  process  as  an  SLS  specification.  Before  presenting 
the  general  transformation,  we  will  motivate  this  transformation  using  our  natural  semantics 
specification  of  call-by-value  evaluation. 

The  definition  of  e  JJ.  v  is  moded  with  e  as  an  input  and  v  as  an  output,  so  it  is  meaningful 
to  talk  about  being  given  e  and  using  deductive  computation  to  search  for  a  v  such  that  e  JJ,  v  is 
derivable.  Consider  a  recursive  search  procedure  implementing  this  particular  deductive  compu¬ 
tation: 

*  If  e  =  Xx.e',  it  is  possible  to  derive  Xx.e'  Xx.e'  with  the  rule  ev/lam. 

*  If  e  =  e\  e2,  attempt  to  derive  e\  e2  (1  v  using  the  rule  ev/app  by  doing  the  following: 

1.  Search  for  a  v\  such  that  e\  (1  v\  is  derivable. 

2.  Assess  whether  v\  =  Xx.e'  for  some  e'\  fail  if  it  is  not. 
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3.  Search  for  a  v2  such  that  e2  JJ.  v2  is  derivable. 

4.  Compute  e!  =  v2/x\e 

5.  Search  for  a  v  such  that  e!  JJ,  v  is  derivable. 

The  goal  of  the  operationalization  transformation  is  to  represent  this  deductive  computation  as 
a  specification  in  the  concurrent  fragment  of  SLS.  (To  be  sure,  “concurrent”  will  seem  like  a 
strange  word  to  use  at  first,  as  the  specifications  we  write  in  the  concurrent  fragment  of  SLS  will 
be  completely  sequential  until  Section  6.1.4.)  The  first  step  in  this  process,  representing  the 
syntax  of  expressions  as  LF  terms  of  type  exp,  was  discussed  in  Section  4.1.4.  The  second  step 
is  to  introduce  two  new  ordered  atomic  propositions.  The  proposition  eval  ren  is  the  starting 
point,  indicating  that  we  want  to  search  for  a  v  such  that  e  JJ.  v,  and  the  proposition  retn  rwn 
indicates  the  successful  completion  of  this  procedure.  Therefore,  searching  for  a  v  such  that 
e  JJ.  v  is  derivable  will  be  analogous  to  building  a  trace  T  ::  xe:(eval  ren)  x„:(retn  r,fn). 

Representing  the  first  case  is  straightforward:  if  we  are  evaluating  Xx.e,  then  we  have  suc¬ 
ceeded  and  can  return  Xx.e.  This  is  encoded  as  the  following  proposition: 

ME.  eval  (lam  Xx.  Ex)  >— ►  (retn  (lam  Xx.  Ex )} 

The  natural  deduction  rule  ev/app  involves  both  recursion  and  multiple  subgoals.  The  five  steps 
in  our  informal  search  procedure  are  turned  into  three  phases  in  SLS,  corresponding  to  the  three 
recursive  calls  to  the  search  procedure  -  steps  1  and  2  are  combined,  as  are  steps  4  and  5.  When¬ 
ever  we  make  a  recursive  call  to  the  search  procedure,  we  leave  a  negative  ordered  proposition 
A~  ord  in  the  context  that  awaits  the  return  of  a  proposition  retn  rv'~]  to  its  left  and  then  con¬ 
tinues  with  the  search  procedure.  Thus,  each  of  the  recursive  calls  to  the  search  procedure  will 
involve  a  sub-trace  of  the  form 


xe:(eval  ren),y:A  ord,  A  x„:(retn  rVn),  y:A  ord,  A 


where  A~  is  a  negative  proposition  that  is  prepared  to  interact  with  the  subgoal’s  final  retn  rvn 
proposition  to  kickstart  the  rest  of  the  computation.  This  negative  proposition  is,  in  effect,  the 
calling  procedure’s  continuation. 

The  nested  rule  for  evaluating  e±  e2  to  a  value  is  the  following  proposition,  where  the  three 
phases  are  indicated  with  dashed  boxes: 


WE\.  \/E2.  eval  (app  Ei  E2) 


eval  E\  • 

l(\/E.  retn  (lam  Xx.  Ex) 

r  i 

>— >  {;eval  E2  •  1 

1 4-(VT2-  retn  V2 

i  (;eval  (E  V2)  •  ‘ 

1  !  4,(VV.  retn  V  >—>  {retn  I4})|})|}) 

} 

Step  12(Ei,  E2) 


Step3(E2,E ) 


Step4>5(E,  V2) 


Let’s  work  backwards  through  this  three-phase  protocol.  In  the  third  phase,  which  corresponds 
to  the  fourth  and  fifth  steps  of  our  informal  search  procedure,  we  have  found  Xx.  E  x  =  Xx.re~' 
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(where  e  potentially  has  x  free)  and  V2  =  rv2n.  The  recursive  call  is  to  eval  r[y2/x]en,  which  is 
the  same  thing  as  eval  (E  V2).  If  the  recursive  call  successfully  returns,  the  context  will  contain 
a  suspended  atomic  proposition  of  the  form  retn  V  where  V  =  rvn,  and  the  search  procedure 
as  a  whole  has  been  completed:  the  answer  is  v.  Thus,  the  negative  proposition  that  implements 
the  continuation  can  be  written  as  (W.  retn  V  >— >  (retn  V}).  (This  continuation  is  the  identity; 
we  will  show  how  to  omit  it  when  we  discuss  tail-recursion  elimination  in  Section  6.1.3.)  The 
positive  proposition  that  will  create  this  sub-computation  can  be  written  as  follows: 

Step4:5(E,  V2)  =  eval  (E  V2)  •  |(W.  retn  V  >-»•  (retn  V }) 

Moving  backwards,  in  the  second  phase  (step  3  of  the  5-step  procedure)  we  have  an  expression 
E 2  =  re2n  that  we  were  given  and  Ax.  E  x  =  Ax.ren  that  we  have  computed.  The  recursive  call 
is  to  eval  re2n,  and  assuming  that  it  completes,  we  need  to  begin  the  fourth  step.  The  positive 
proposition  that  will  create  this  sub-computation  can  be  written  as  follows: 

Step3(E2 ,  E )  =  eval  E2  •  |(VI4  retn  C2  ~  {Step4>5{E,  V2)}) 

Finally,  the  first  two  steps,  like  the  fourth  and  fifth  steps,  are  handled  together.  We  have  Ei  = 
re,n  and  E2  =  re2n;  the  recursive  call  is  to  eval  Once  the  recursive  call  completes,  we 
enforce  that  the  returned  value  has  the  form  rAx.en  before  proceeding  to  the  continuation. 

Stepi^2{E\ ,  E2)  =  eval  Ei  •  4,  (VTA  retn  (lam  Ax.  Ex)  >— >  {Step3(E2,  E)}) 

Thus,  the  rule  implementing  this  entire  portion  of  the  search  procedure  is 

VTA.  WE2.  eval  (app  Ei  E2)  > — >  {Stepi ^(Ei,  E2 )} 

The  SLS  encoding  of  our  example  natural  semantics  is  shown  in  Figure  6.1  alongside  the 
transformed  specification,  which  has  the  form  of  an  ordered  abstract  machine  semantics,  though 
it  is  different  than  the  ordered  abstract  machine  semantics  presented  in  the  introduction.  The 
specification  in  Figure  6.1  is  nested ,  as  ev/app  is  a  rule  that,  when  it  participates  in  a  transition, 
produces  a  new  rule  (VTA  retn  (lam  Ax.  Ex)  >—>•{.. .})  that  lives  in  the  context.  (In  contrast,  the 
ordered  abstract  machine  semantics  from  the  introduction  was  flat.)  We  discuss  the  defunction¬ 
alization  transformation,  which  allows  us  to  derive  flat  specifications  from  nested  specifications, 
in  Section  6.2  below. 

The  intuitive  connection  between  natural  semantics  specifications  and  concurrent  specifica¬ 
tions  has  been  explored  previously  and  independently  in  the  context  of  CLF  by  Schack-Nielsen 
[SN07]  and  by  Cruz  and  Hou  [CHI 2];  Schack-Nielsen  proves  the  equivalence  of  the  two  specifi¬ 
cations,  whereas  Cruz  and  Hou  used  the  connection  informally.  The  contribution  of  this  section 
is  to  describe  a  general  transformation  (of  which  Figure  6.1  is  one  instance)  and  to  prove  the 
transformation  correct  in  general.  We  have  implemented  the  operationalization  and  defunction¬ 
alization  transformations  within  the  prototype  implementation  of  SLS. 

In  Section  6.1.1  we  will  present  the  subset  of  specifications  that  our  operationalization  trans¬ 
formation  handles,  and  in  Section  6.1.2  we  present  the  most  basic  form  of  the  transformation.  In 
Sections  6.1.3  and  6.1.4  we  extend  the  basic  transformation  to  be  both  tail-recursion  optimizing 
and  parallelism-enabling.  Finally,  in  Section  6.1.5,  we  establish  the  correctness  of  the  overall 
transformation. 
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#mode  ev  +  - . 

ev:  exp  ->  exp  ->  prop. 


eval :  exp  ->  prop  ord. 
retn:  exp  ->  prop  ord. 


ev/lam: 

ev  (lam  \x.  E  x) 


ev/ lam : 

eval  (lam  \x.  E  x) 

>->  {retn  (lam  \x.  Ex)}. 


(lam  \x .  Ex). 


ev/ app : 

ev  (app  El  E2)  V 


ev/ app : 

eval  (app  El  E2) 
>->  {eval  El  * 


<-  ev  El  (lam  \x.  E  x) 


(All  E.  retn  (lam  \x.  E  x) 

>->  {eval  E2  * 

(All  V2 .  retn  V2 
>->  {eval  (E  V2)  * 

(All  V.  retn  V 

>->  {retn  V} )})})} . 


<-  ev  E2  V2 


<-  ev  (E  V2 )  V. 


Figure  6.1:  Natural  semantics  (left)  and  ordered  abstract  machine  (right)  for  CBV  evaluation 

6.1.1  Transformable  signatures 

The  starting  point  for  the  operationalization  transformation  is  a  deductive  signature  that  is  well- 
moded  in  the  sense  described  in  Section  4.6.1.  Every  declared  negative  predicate  will  either 
remain  defined  by  deductive  proofs  (we  write  the  atomic  propositions  built  with  these  predicates 
as  p^,  d  for  deductive)  or  will  be  transformed  into  the  concurrent  fragment  of  SLS  (we  write 
these  predicates  as  ac,  bc  etc.  and  write  the  atomic  propositions  built  with  these  predicates  as  p~, 
c  for  concurrent). 

For  the  purposes  of  describing  and  proving  the  correctness  of  the  operationalization  transfor¬ 
mation,  we  will  assume  that  all  transformed  atomic  propositions  p~  have  two  arguments  where 
the  first  argument  is  moded  as  an  input  and  the  second  is  an  output.  That  is,  they  are  declared  as 
follows: 


#mode  ac  H — . 
ac  :  n  ->  r2  -A-  prop. 


Without  dependency,  two-place  relations  are  sufficient  for  describing  n-place  relations.1  It  should 
be  possible  to  handle  dependent  predicates  (that  is,  those  with  declarations  of  the  form  ac  : 
Ux:ti.  t2(x)  — *  type),  but  we  will  not  do  so  here. 

The  restriction  on  signatures  furthermore  enforces  that  all  rules  must  be  of  the  form  r  :  67  or 
r  :  D,  where  C  and  D  are  refinements  of  the  negative  propositions  of  SLS  that  are  defined  as 

'As  an  example,  consider  addition  defined  as  a  three-place  relation  add  MNP  (where  add  has  kind 
nat  — >  nat  — >  nat  — >  prop)  with  the  usual  mode  (add  +  +  — ).  We  can  instead  use  a  two-place  relation 

add'  (addJnputs  M  N)  P  with  mode  (add'  -| - ).  The  kind  of  add'  is  addJn  — >  nat  — >  type,  where  addJn  is 

a  new  type  with  only  one  constructor  addJnputs  :  nat  — >  nat  — >  addJn  that  effectively  pairs  together  the  two 
natural  numbers  that  are  inputs. 
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follows: 


::=  p~  \/x:t.  C 

Ppers 

~  c 

]-Pc 

~  67  | 

!67 

^  67 

'■■=  Pd  Vx:t.  D 

Ppers 

>-►  D 

]-p7 

>  ^  D 

|  !67 

~  67 

P~l  Vx:r.  67 

Ppers 

»  G 

\D 

^  G 

For  most  of  this  chapter,  we  will  restrict  our  attention  to  signatures  where  all  atomic  proposi¬ 
tions  have  the  form  p~  and  where  all  rules  have  the  form  67.  This  makes  the  classes  p^,  D,  and  67 
irrelevant  and  effectively  restricts  rules  to  the  Horn  fragment.  Propositions  p ^  that  remain  deduc¬ 
tively  defined  by  rules  D  will  only  be  considered  towards  the  end  of  this  chapter  in  Section  6.6.2 
when  we  consider  various  transformations  on  SOS  specifications  and  in  Section  6.6.3  when  we 
consider  transforming  the  natural  semantics  for  Davies’  A°. 

Note,  however,  that  if  a  signature  is  well-formed  given  that  a  certain  atomic  proposition  is  as¬ 
signed  to  the  class  p~  of  transformed  atomic  propositions,  the  signature  will  remain  well-formed 
if  we  instead  assign  that  proposition  to  the  class  p ^  of  atomic  propositions  that  get  left  in  the 
deductive  fragment.  The  only  effect  is  that  some  rules  that  were  previously  of  the  form  r  :  C 
will  become  rules  of  the  form  r  :  Dr  If  we  turn  this  dial  all  the  way,  we  won’t  operationalize 
anything!  If  all  atomic  propositions  are  of  the  form  p ^  so  that  they  remain  deductive,  then  the 
propositions  p~  and  C  are  irrelevant,  and  the  restriction  above  describes  all  persistent,  deductive 
specifications  -  essentially,  any  signature  that  could  be  executed  by  the  standard  logic  program¬ 
ming  interpretation  of  LF  [Pfe89].  The  operationalization  transformation  will  be  the  identity  on 
such  a  specification. 

All  propositions  C  are  furthermore  equivalent  (at  the  level  of  synthetic  inference  rules)  to 
propositions  of  the  form  . . .  Vav  >!+>—»•...>—»•  Af  >— >•  ac  t0  tn+ 1,  where  the  VT)  are  short¬ 
hand  for  a  series  of  universal  quantifiers  V;/:,  \\rl\  . . .  and  where  each  variable  in  A  does 

not  appear  in  t0  (unless  i  =  0)  nor  in  any  Aj  with  j  <  i  but  does  appear  in  Af  (or  tQ  if  i  —  0). 
Therefore,  when  we  consider  moded  proof  search,  the  variables  bound  in  xq  are  all  fixed  by  the 
query  and  those  bound  in  the  other  A  are  all  fixed  by  the  output  position  of  the  z1h  subgoal. 

Each  premise  Af  either  has  the  form  pfers ,  \p~,  or  !G'.  The  natural  deduction  rule  ev/app, 
which  has  three  premises,  can  be  represented  in  this  standard  form  as  follows: 

Vxo.  VxT.Vx2.  Vxjj.  Af  >— >  Af  >— >  Af  >— >  ac  t0  f4 

\/E1.\/E2AE.\/V2AV.  !(ev  (E  V2)  V)  ~  l(evE2V2)  >-►  !(ev£i  (lam  Ax.  .Ex))  >-►  ev  (app-Efi  E2)  V 

From  here  on  out  we  will  assume  without  loss  of  generality  that  any  proposition  C  actually  has 
this  very  specific  form. 

6.1.2  Basic  transformation 

The  operationalization  transformation  Op(T,)  operates  on  SLS  signatures  £  that  have  the  form 
described  in  the  previous  section.  We  will  first  give  the  transformation  on  signatures;  the  trans¬ 
formation  of  rule  declarations  r  :  67  is  the  key  case. 

2The  reverse  does  not  hold:  the  proposition  \(\/x:T.pfers  >— ►  pj)  >— ►  p ^  has  the  form  D,  but  the  proposition 
!(Vx:t.  pfers  >—i ►  p~)  >— >  p~  does  not  have  the  form  C. 
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Each  two-place  predicate  ac  gets  associated  with  two  one-place  predicates  evaLa  and  retn_a: 
both  evaLa  t  and  retn_a  t  are  positive  ordered  atomic  propositions.  We  will  write  A""'’  for  the 
operation  of  substituting  all  occurrences  of  p~  =  actit2  with  (evaLa ti  ^  {retn_af2})  in  X. 
This  substitution  operation  is  used  on  propositions  and  contexts;  it  appears  in  the  transformation 
of  rules  r  :  D  below. 

*  Op(-)  =  ■ 

*  Op(Tj,  ac  :  Ti  — *  t2  — *  prop)  =  Op(H),  evaLa  :  T\  — >■  propord,  retn_a  :  r2  — >  propord 

*  OpfE,ac  :  T\  — y  t2  — y  prop)  =  Op(Yf)}  evaLa  :  Tf  — >  propord 

(if  retn_a  is  already  defined ) 

*  OpfE,  b  :  k)  —  Op(E),  b  :  k  (if  b  f  ac) 

*  OpfE,c  :  r)  =  Op(E),  c  :  r 

*  Op( E,  r  :C)  =  Op(E),  r  :  Vxff.  evaLa  t0  ^  . . . ,  A+](a,  tn+1,  id) 

(where  C  =  Vxo  . . .  VxjL  Af  >— >  . . .  >— >  Af  >— >  ac  f0  ^n+i) 

*  Op(E,  r  :  £>)  =  Op(E),  r  :  £>t 

The  transformation  of  a  proposition  C  =  Vxjj . . .  Vx^.  Af  ...  >— >  A)1'  >— ►  a  ct0  tn+\ 
involves  the  definition  {Af, . . . ,  A+](a,  tn+1,  a),  where  o  substitutes  only  for  variables  in  x] 
where  j  <  i.  The  function  is  defined  inductively  on  the  length  of  the  sequence  Af , . . . ,  Af. 

*  |(a,tn+i,0-)  =  {retn_a  (<rtn+1)} 

*  [P  fers,  At+ 1.  ■  ■  ■  »  ^nl(a>  Wb  <*)  =  VxL  {<Jpfers)  ~  {Af+1,  ...,  Afj(  3,  tn+1,  a) 

*  V-Pc  ,  At+1,  ■  ■  ■  ,  Afl(aAn+l,  (?) 

=  {eval  b  (at?1)  •  (VxL  retn _b  (at°ut)  )-»  [A+  1? . . . ,  A+](a,  tn+1,  <r))} 

(where  p~  is  bc  tf  t°ut) 

*  [!G,  Af+1,...,Af}(a,tn+i,cr)  =  VxL  !(aG't)  >-»•  [A+  x, . . . ,  A+](a,  tn+i,  a) 

This  operation  is  slightly  more  general  than  it  needs  to  be  to  describe  the  transformation  on 
signatures,  where  the  substitution  a  will  always  just  be  the  identity  substitution  id.  Non-identity 
substitutions  arise  during  the  proof  of  correctness,  which  is  why  we  introduce  them  here. 

Figure  6.1,  relating  the  natural  semantics  to  the  encoding  of  the  search  procedure  as  an  or¬ 
dered  abstract  machine,  is  an  instance  of  this  transformation. 

6.1.3  Tail-recursion 

Consider  again  our  motivating  example,  the  procedure  for  that  takes  expressions  e  and  searches 
for  expressions  v  such  that  e  Jj  v  is  derivable.  If  we  were  to  implement  that  procedure  as  a 
functional  program,  the  procedure  would  be  tail-recursive.  In  the  procedure  that  handles  the 
case  when  e  =  e\  e2,  the  last  step  invokes  the  search  procedure  recursively.  If  and  when  that 
callee  returns  v,  then  the  caller  will  also  return  v. 

Tail-recursion  is  significant  in  functional  programming  because  tail-recursive  calls  can  be 
implemented  without  allocating  a  stack  frame:  when  a  compiler  makes  this  more  efficient  choice, 
we  say  it  is  performing  tail-recursion  optimization ?  An  analogous  opportunity  for  tail-recursion 

3Or  tail-call  optimization,  as  a  tail-recursive  function  call  is  just  a  specific  instance  of  a  tail  call. 
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optimization  arises  in  our  logical  compilation  procedure.  In  our  motivating  example,  the  last 
step  in  the  e\  e2  case  was  operationalized  as  a  positive  proposition  of  the  form  eval  (E  V2)  • 
(' VV .  retn  V  >— >  {retn  V}).  In  a  successful  search,  the  process  state 

x:eval  (E  V2),  y:(MV.  retn  V  >— *•  {retn  V})  ord ,  A 

will  evolve  until  the  state 


x':retn  V',y:(MV.  retn  V  >— >  {retn  V})ord,A 
is  reached,  at  which  point  the  next  step,  focusing  on  y,  takes  us  to  the  the  process  state 

y':  retn  V1 ,  A 

If  we  operationalize  the  last  step  in  the  e\  e2  case  as  eval  (E  V2)  instead  of  as  eval  (E  V2)  • 
(VV.  retn  V  >— *■  {retn  V}),  we  will  reach  the  same  final  state  with  one  fewer  transition.  The  tail- 
recursion  optimizing  version  of  the  operationalization  transformation  creates  concurrent  compu¬ 
tations  that  avoid  these  useless  steps. 

We  cannot  perform  tail  recursion  in  general  because  the  output  of  the  last  subgoal  may  be 
different  from  the  output  of  the  goal.  For  example,  the  rule  r  :  VX.  MY.  !a  A  V  >—>  a  (c  X )  (c  Y) 
will  translate  to 

r  :  MX.  evaLa  (cX)  >— >•  {evaLa  X  •  {MY.  retn_a  Y  >— »•  {retn_a  (c  V)})} 

There  is  no  opportunity  for  tail-recursion  optimization,  because  the  output  of  the  last  search 
procedure,  t °ut  =  Y,  is  different  than  the  value  returned  down  the  stack,  tn+\  =  c  Y .  This  case 
corresponds  to  functional  programs  that  cannot  be  tail-call  optimized. 

More  subtly,  we  cannot  even  eliminate  all  cases  where  tfut  =  tn+\  unless  these  terms  are 
fully  general.  The  rule  r  :  MX. ! test  X  true  >— >  test  s  X  true,  for  example,  will  translate  to 

r  :  VX.  evaLa  sX  {evaLa  A"  •  (retn.atrue  >— >  retn_a  true)} 

It  would  invalid  to  tail-call  optimize  in  this  situation.  Even  though  the  proposition  retn_a  true  >— >• 
retn  a  true  is  an  identity,  if  the  proposition  retn  a  false  appears  to  its  left,  the  process  state  will  be 
unable  to  make  a  transition.  This  condition  doesn’t  have  an  analogue  in  functional  programming, 
because  it  corresponds  to  the  possibility  that  moded  deductive  computation  can  perform  pattern 
matching  on  outputs  and  fail  if  the  pattern  match  fails. 

We  say  that  tn+\  with  type  r  is  fully  general  if  all  of  its  free  variables  are  in  xL  (and  therefore 
not  fixed  by  the  input  of  any  other  subgoal)  and  if,  for  any  variable-free  term  t'  of  type  r,  there 
exists  a  substitution  o  such  that  t  =  atn+ 1.  The  simplest  way  to  ensure  this  is  to  require  that 
tn+ 1  =  C*  =  V  where  y  =  xf.4 

The  tail-recursive  procedure  can  be  described  by  adding  a  new  case  to  the  definition  of 

lAt,...,Af}(a,tn+ho): 


4It  is  also  possible  to  have  a  fully  general  tn+i  =  cyiy2  if.  for  instance,  c  has  type  t\  — >  t2  — >  foo  and  there 
are  no  other  constructors  of  type  foo.  However,  we  also  have  to  check  that  there  are  no  other  first-order  variables  in 
with  types  like  73  — >  foo  that  could  be  used  to  make  other  terms  of  type  foo. 
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ev/lam: 
ev/ app : 


eval 

(lam  \x.  E  x)  >->  {retn 

( lam  \x .  E  x) } 

eval 

(app  El  E2) 

>-> 

{eval  El  * 

(All  E.  retn  (lam  \x.  E 

x) 

>->  {eval  E2  * 

(All  V2 .  retn  V2  >->  {eval  (E  V2) })})}. 

Figure  6.2:  Tail-recursion  optimized  semantics  for  CBV  evaluation 


*  . . .  (four  other  cases  from  Section  6.1.2)  ... 

*  PbC4+il(a,Wi^)  =  {evaLa(aC)} 

(where  tn+ 1  is  fully  general  and  retn_a  =  retn_b) 

This  case  overlaps  with  the  third  case  of  the  definition  given  in  Section  6.1.2,  which  indicates 
that  tail-recursion  optimization  can  be  applied  or  not  in  a  nondeterministic  manner. 

Operationalizing  the  natural  semantics  from  6.1  with  tail-recursion  optimization  gives  us  the 
ordered  abstract  machine  in  Figure  6.2. 

6.1.4  Parallelism 

Both  the  basic  and  the  tail-recursive  transformations  are  sequential:  if  oneval  ren  A,  then 
the  process  state  A  contains  at  most  one  proposition  eval  ren  or  retn  rwn  that  can  potentially  be 
a  part  of  any  further  transition.  Put  differently,  the  first  two  versions  of  the  operationalization 
transformation  express  deductive  computation  as  a  concurrent  computation  that  does  not  exhibit 
any  parallelism  or  concurrency  (sequential  computation  being  a  special  case  of  concurrent  com¬ 
putation). 

Sometimes,  this  is  what  we  want:  in  Section  6.3  we  will  see  that  the  sequential  tail-recursion- 
optimized  abstract  machine  adequately  represents  a  traditional  on-paper  abstract  machine  for 
the  call-by-value  lambda  calculus.  In  general,  however,  when  distinct  subgoals  do  not  have 
input-output  dependencies  (that  is,  when  none  of  subgoal  i’s  outputs  are  inputs  to  subgoal  z  + 
1),  deductive  computation  can  search  for  subgoal  i  and  i  +  1  simultaneously,  and  this  can  be 
represented  in  the  operationalization  transformation. 

Parallelism  will  change  the  way  we  think  about  the  structure  of  the  ordered  context:  previ¬ 
ously  we  were  encoding  a  stack-like  structure  in  the  ordered  context,  and  now  we  will  encode  a 
tree-like  structure  in  the  ordered  context.  It’s  really  easy  to  encode  a  stack  in  an  ordered  context, 
as  we  have  seen:  we  just  write  down  the  stack!  Trees  are  only  a  little  bit  more  complicated:  we 
encode  them  in  an  ordered  context  by  writing  down  an  ordered  tree  traversal.  Our  translation 
uses  a  postfix  traversal,  so  it  is  always  possible  to  reconstruct  a  tree  from  the  ordered  context  for 
the  same  reason  that  a  postfix  notations  like  Reverse  Polish  notation  are  unambiguous:  there’s 
always  only  one  way  to  reconstruct  the  tree  of  subgoals. 

In  the  previous  transformations,  our  process  states  were  structured  such  that  every  negative 
proposition  A~  was  waiting  on  a  single  retn  to  be  computed  to  its  left;  at  that  point,  the  negative 
proposition  could  be  focused  upon,  invoking  the  continuation  stored  in  that  negative  proposition. 
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eval :  exp  ->  prop  ord. 
retn:  exp  ->  prop  ord. 

ev/lam:  eval  (lam  \x.  E  x)  >->  {retn  (lam  \x.  Ex)}. 

ev/app:  eval  (app  El  E2) 

>->  {eval  El  *  eval  E2  * 

(All  E.  All  V2 .  retn  (lam  \x.  Ex)*  retn  V2 
>->  { eval  (E  V2 ) } ) } . 

Figure  6.3:  Parallel,  tail-recursion  optimized  semantics  for  CBV  evaluation 

If  we  ignore  the  first-order  structure  of  the  concurrent  computation,  these  intermediate  states  look 
like  this: 

(. . .  subgoal  1  ... )  ?/:(retn  >— >  cont )  ord 

Note  that  subgoal  1  is  intended  to  represent  some  nonempty  sequence  of  ordered  propositions, 
not  a  single  proposition.  With  the  parallelism-enabling  transformation,  subgoal  1  will  be  able  to 
perform  parallel  search  for  its  own  subgoals: 

(subgoal  1.1)  (subgoal  1.2)  ^(retrix A  •  retn12  >— >  conti )  ord,  y:(retn  >— ►  cont )  ord 

The  two  subcomputations  (subgoal  1.1)  and  (subgoal  1.2)  are  next  to  one  another  in  the  ordered 
context,  but  the  postfix  structure  imposed  on  the  process  state  ensures  that  the  only  way  they  can 
interact  is  if  they  both  finish  (becoming  zi.i:(retni.i)  and  zi.2:(retni.2),  respectively),  which  will 
allow  us  to  focus  on  ip  and  begin  working  on  the  continuation  conti. 

To  allow  the  transformed  programs  to  enable  parallel  evaluation,  we  again  add  a  new  case  to 
the  function  that  transforms  propositions  C.  The  new  case  picks  out  j  —  i  premises  Ai, ...  ,Aj  = 
!pE, . . . ,  \p~j,  requiring  that  those  j  —  i  premises  are  independent.  Each  p~k  =  bkc  t™  tkut,  where 
the  term  tkut  is  what  determines  the  assignments  for  the  variables  in  x])  when  we  perform  moded 
proof  search.  Independence  between  premises  requires  that  the  free  variables  of  t™  cannot  in¬ 
clude  any  variables  in  xf(  for  i  <  m  <  k;  the  well-modedness  of  the  rule  already  ensures  that  t'k 
does  not  contain  any  variables  in  for  k  <  m  <  j . 

*  . . .  (four  other  cases  from  Section  6.1.2,  one  other  case  from  Section  6.1.3)  . . . 

*  I(a,  tn+li  a) 

=  (evaLbi  (crt"1)  •  . . .  •  evaLbj  (at™)  • 

(Va ~i . . .  \/x~.  retn.bi  (at°ut)  •  •  retn.bj  (at°ut) 

~  K++i,...,/l+](a  5  tn-\- 1 1  «■))} 

(where  pck  is  bkc  t™  tkut  and  0  =  FV ( t ™)  (T  (xi  U  . . .  U  xf)for  i  <  k  <  j) 

This  new  case  subsumes  the  old  case  that  dealt  with  sequences  of  the  form  \p~ ,  Af+1, . . . ,  Af; 
that  old  case  is  now  an  instance  of  the  general  case  where  i  =  j.  Specifically,  the  second  side 
condition  on  the  free  variables,  which  is  necessary  if  the  resulting  rule  is  to  be  well-scoped,  is 
trivially  satisfied  in  the  sequential  case  where  i  —  j. 

The  result  of  running  the  natural  semantics  from  Figure  6.1  through  the  parallel  and  tail- 
recursion  optimizing  ordered  abstract  machine  is  shown  in  Figure  6.3;  it  shows  that  we  can 


162 


search  for  the  subgoals  e\  Xx.e  and  e2  -!)  v2  in  parallel.  We  cannot  run  either  of  these  subgoals 
in  parallel  with  the  third  subgoal  [v2/x\e  JJ.  v  because  the  input  [v2/x]e  mentions  the  outputs  of 
both  of  the  previous  sub  goals. 


6.1.5  Correctness 

We  have  presented,  in  three  steps,  a  nondeterministic  transformation.  One  reason  for  presenting  a 
nondeterministic  transformation  is  that  the  user  can  control  this  nondeterminism  to  operationalize 
with  or  without  parallelism  and  with  or  without  tail-call  optimization.  (The  transformation  as 
implemented  in  the  SLS  prototype  only  has  one  setting:  it  optimizes  tail-calls  but  does  not  enable 
parallel  evaluation.)  The  other  reason  for  presenting  a  nondeterministic  transformation  is  that  we 
can  prove  the  correctness  of  all  the  variants  we  have  presented  so  far  in  one  fell  swoop  by  proving 
the  correctness  of  the  nondeterministic  transformation. 

Correctness  is  fundamentally  the  property  that  we  have  T :  F  b>-  fpf )  if  and  only  if  we 
have  T ;  C  h0p(S)  (pd)  and  that  we  have  'F:  F  bs  (ac  1 ,  t2)  if  and  only  if  we  have  a  trace 
(T;  T,  evaLa  tf)  ^*0p^  (IF;  T,  retn  (retn_a  t2)).  We  label  the  forward  direction  “completeness” 
and  the  backward  direction  “soundness,”  but  directional  assignment  is  (as  usual)  somewhat  arbi¬ 
trary.  Completeness  is  a  corollary  of  Theorem  6.2,  and  soundness  is  a  corollary  of  Theorem  6.4. 
We  use  Theorem  6.1  pervasively  and  usually  without  mention. 

Theorem  6.1  (No  effect  on  the  LF  fragment).  T  bs  t  :  r  if  and  only  z/T  b0p(S)  t  :  r. 

Proof.  Straightforward  induction  in  both  directions;  the  transformation  leaves  the  LF-relevant 
part  of  the  signature  unchanged.  □ 

Completeness 

Theorem  6.2  (Completeness  of  operationalization).  If  all  propositions  in  T  have  the  form  x:I)  pers 
or  z:(pters)’  then 

1.  //'F;  T  bs  (p~),  then  'F;  r*  b0p(s)  (p~). 

2.  If  T ;  T,  [D]  bs  (pf),  then  4/;  Tf  [ D t]  h0p(s)  (p~d). 
iP;rhs  G,  then  vF;  r+  h0p(S)  Gl 

4.  If  A  matches  B  {{ T }}  and  'f:  F  bv  (p“)  (where  pf  =  ac  f  s), 
then  ('F;  B^x: (evaLa  t)})  -^*0p(E)  (T;  Biji/^retn^a  s)}). 

Proof.  Mutual  induction  on  the  structure  of  the  input  derivation. 

The  first  three  parts  are  straightforward.  In  part  1,  we  have  T;  T  bs  h  ■  Sp  :  (pd)  where 
either  h  =  x  and  x:D  e  T  or  else  h  =  r  and  r  :  D  e  S.  In  either  case  the  necessary  result  is 
h  ■  Sp',  where  we  get  Sp'  from  the  induction  hypothesis  (part  2)  on  Sp. 

In  part  2,  we  proceed  by  case  analysis  on  the  proposition  D  in  focus.  The  only  interesting 
case  is  where  D  =  \p^  D' 

*  If  D  =  pf,  then  Sp  =  NIL  and  nil  gives  the  desired  result. 
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*  If  D  —  Vx:t.  D'  or  D  =  p+ers  >— >  D' ,  then  Sp  =  (t;  Sp')  or  Sp  =  (z;  Sp ')  (respec¬ 
tively).  The  necessary  result  is  (f;  Sp")  or  (z:  Sp")  (respectively)  where  we  get  Sp"  from 
the  induction  hypothesis  (part  2)  on  Sp'. 

*  If  D  =  \p~  D'  and  p~  =  ac£i£2,  then  Sp  =  (\N;  Sp')  and  IP  =  !(eval_a£i  > 
0(retn_a£2)  >— ►  D ^).5 


^;T  hs  N  :  (actit2) 

Sp'  :  (p~d) 

T  ::  ('h;rj,x:(eval_afi))  ^*0p(s)  (tf;  T+,  y:(retn_a  £2)) 

*;r,  p'1]  i-o,(E)  s?" :  {Pp 

vh;r't'  h0j,(S)  Xx.  (let Tiny}  :  evaLa £1  >— >  0(retn_a£2) 
^;Tf,  [T>f]  h0p(s)  !(Ax.  (let Tiny});  Sp'  :  (pj) 


(given) 

(given) 

(ind.  hyp.  (part  4)  on  N) 
(ind.  hyp.  (part  2)  on  Sp') 
(construction) 
(construction) 


*  If  D  =  \G  ^  D' ,  then  Sp  =  \N;  Sp' .  The  necessary  result  is  IN';  Sp" .  We  get  N'  from 
the  induction  hypothesis  (part  3)  on  N  and  get  Sp"  from  the  induction  hypothesis  (part  2) 
on  Sp'. 


The  cases  of  part  3  are  straightforward  invocations  of  the  induction  hypothesis  (part  1  or 
part  3).  For  instance,  if  G  =  \D  >— >  G'  then  we  have  a  derivation  of  the  form  Xx.N  where 
\F;  T,  x:D  pers  bs  N  :  G'.  By  the  induction  hypothesis  (part  3)  we  have  \F;  T1}  x:ZP  pers  b0p(S) 
N'  :  G'\  and  we  conclude  by  constructing  Xx.N'. 

In  part  4,  we  have  \F;  T  hs  r  ■  Sp  :  (p^ ) ,  where  r.C  G  S  and  the  proposition  C  is  equivalent 
to  VaT . . .  VxT  A+  >— >  . . .  >— >  Af  a c  £0  tn+1  as  described  in  Section  6.1.2.  This  means  that,  for 
each  0  <  i  <  n,  we  can  decompose  Sp  to  get  a,  =  (sq/xo,  . . . ,  (for  some  terms  . . .  si 
that  correspond  to  the  correct  variables)  and  we  have  a  value  \F;  T  Vi  :  [criAf].  We  also  have 
£  =  a o£o  and  s  =  antn+ \.  It  suffices  to  show  that,  for  any  1  <  i  <  n,  there  is 

*  aspineS'psuchthat'F;rt,[[A+,...,yl+](a,fn+i,o’o)]  b0p(s)  Sp  :  (O C+), 

*  a  pattem+trace  AP.T  ::  (\F;  0t{C,+  })  ^op(E)  ('F;  0t{y:retn_a  (antn+1)}).6 

Once  we  prove  this,  the  trace  we  need  to  show  is  {P}  <—  r  ■  (s0;  Sp);  T. 

We  will  prove  this  by  induction  on  the  length  of  the  sequence  sequence  Aiy . . . ,  An,  and 
proceed  by  case  analysis  on  the  definition  of  the  operationalization  transformation: 

*  U(a,  tn+1,  an)  =  0(retn_a  {antn+1)) 


This  is  a  base  case:  let  Sp  =  NIL,  P  =  y,  and  T  =  o,  and  we  are  done. 


*  [!ac  t™  £n+i](a,  tn+i,  an_i)  =  0(eval_a  (crn_i£;n)) 

We  are  given  a  value  f;T  hs  !JV  :  [!ac  (crnt™)  (antn+ 1)];  observe  that  crn_  ]  £}"  =  ant™. 
This  is  also  abase  case:  let  Sp  =  nil,  and  let  P  =  xn  ::  (\F;  0f (evaLa  (ant™))}  =^oP(s) 
('F;  0f{a;n:(eval  j  (ant™))}).  We  need  a  trace  T  ::  ('F;  ©^x^evaLa  (ant™))})  ^*0p(s) 

5 Recall  that  (jCS  and  {C+}  are  synonyms  for  the  internalization  of  the  lax  modality;  we  will  use  the  O  in  the 
course  of  this  proofs  in  this  section. 

6The  derived  pattern+trace  form  is  discussed  at  the  end  of  Section  4.2.6. 
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('I';  0t{y:(retn_a  (<7nfn+i))});  this  follows  from  the  outer  induction  hypothesis  (part  4)  on 
N. 

*  lp+n,A^l,...,A+}(a,tn+1,ai-1)  =  \/x~i.(Ti_lp+ pers  >->•  {Af+1, . . . ,  A+j(a,tn+1,  a^) 

bs  z  :  [(JiP+ers]  (given) 

(T i  =  (crj_ i,  sl/xi)  (definition  of  cr© 

r,  [IA++1>  ■  ■  ■ ,  ^l(a,  tn+ 1,  <Ji)\  l-0p(s)  Sp7  :  (OC+)  (by  inner  ind.  hyp.) 

XP.T  ::  (tt;  0t{C+})  ^*0p(E)  (tt;  0t{z/:retn_a  (crnfn+1))} 

[V^.  (cTi.iP+p^)  >-►  lAf+1,...,A+}(a,tn+1,cri_1)\  h0p(s)  (s£  z\  Sp')  :  (OC+) 

(construction) 

We  conclude  by  letting  Sp  =  sp  2;  Sp7. 

*  V-Pci,---,]-Pcj,A'j+1,...,A+ l(a,  ^n+1 5  ^z— l) 

/  evaLbi  (o-;_it-n)  •  . . .  •  evaLbj  {al^\tf  )  •  \ 

=  O  I  (Vx) . . .  VxJ.  retn_bi  (<7j_iZ?“*)  •  •  retn_bj  ( ai-it°ut )  1 

\  ^  [J43++lr",^nl(aiWl)(7i-l)))  / 

(where  p~k  is  bkc  t™  tkut  and  0  =  FV (£*.")  D  (x7  U  . . .  U  x] )for  i  <  k  <  j) 

Let  Sp  =  nil  and  P  =  y,  . ....  y:i.  yir  It  suffices  to  show  that  there  is  a  trace 

T  ::  (^,0t{yi:(evaLbi(cTi_i£lOT)),...,i/:,:(evaLbj(cTi_i£f)), 

Pif^Xi. . .  Vx].  retn.bi  (( 7i^it°iut )  •  ...  •  retn.bj  (<7i_it°ut) 

>-*•  [A++1,. .  ■  ,A+}(a,tn+1,<Ji-i))  ord }) 

^Op(s)  (^;  ©t{-:(retn_a  (an£n+i))}) 

'f;  T  hs  \Nk  :  [!bkc  ((7*4")  ( <Jkt°kut )]  ( i<k<  j)  (given) 

bs  \Nk  :  [!bkc  (<Tj_if™)  ( <Jjtkut )]  (i  <  k  <  j )  (condition  on  translation,  defn.  of  ak ) 
T0  ::  ('I',  0f{?/j:(evaLbi  (a*.  it™)),. . .  ,%:(eval_bj  (a^tj1)), 

Uifi^/x i- . .  \/x],  retn.bi  •  .  .  .  •  retn.bj  (crj_if°“*) 

>-*•  ^++1,...,^+](a,£n+i,cri_i))  ord}) 

^Op(E)  ©f{^:(retn_bi  fat?*)), ^:(retn_bj  (a jt°ut)), 

y,:j:(Vay  . . .  Vx).  retn_bi  (crj_ii°ut)  •  . . .  •  retn_bj  (a1-\t°ut) 

>->■  [^++i,...,^+](a,£n+i,^-i))  ord}) 

(by  outer  ind.  hyp.  (part  4)  on  each  of  the  Ap  in  turn) 
^;rJ[^+i>--->^n](Mn+i,0j)]  h0p(S)  Sp’  :  (OC+)  (by  inner  ind.  hyp.) 

XP’.T’  ::  (tf ,  0t{<7+})  (^,et{?/:(retn_aS)}) 

We  conclude  by  letting  T  =  (T0;  {P'}  4-  yl3  •  (sp  . . .  sj;  (y*  •  . . .  •  y^);  Sp7);  T7). 
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^;T  hs  \N  :  [!(jjG] 
^;rth0p(s)  N'-.tnG t 

(^"z—  1  ?  Si/%i)  • 


iy  i  z —  J_5  «-?  z  /  *^Z  /  • 

T,  P+  . . . ,  A+j (a,  tn+1,  a,)]  h0p(S)  Sp'  :  <067+) 


(given) 

(by  outer  ind.  hyp.  (part  3)  on  N) 
(definition  of  cy) 
(by  inner  ind.  hyp.) 


(construction) 


We  conclude  by  letting  Sp  =  sp,  \N';  Sp'. 


This  completes  the  inner  induction  in  the  fourth  part,  and  hence  the  completeness  proof.  □ 


Soundness 


Soundness  under  the  parallel  translation  requires  us  to  prove  an  inversion  lemma  like  the  one  that 
we  first  encountered  in  the  proof  of  preservation  for  adequacy  (Theorem  4.7).  To  this  end,  we 
describe  two  new  refinements  of  negative  propositions  that  capture  the  structure  of  transformed 
concurrent  rules. 

R  ::=  Vx.  retn_bl  £i  •  . . .  •  retn_bn  tn  >— ►  5 

S  ::=  Vx:r.  S  \  p+rs  >— ►  S  \  \A~  >— ►  S  |  0(eval_bl  t\  •  . . .  •  evaLbn  tn  •  ),/?,)  |  O(evaLbf) 
Every  concurrent  rule  in  a  transformed  signature  Op(E)  has  the  form  r  :  Vx.  evaLb  t  ^  S. 

Theorem  6.3  (Rearrangement).  If  A  contains  only  atomic  propositions,  persistent  propositions 
of  the  form  D,  and  ordered  propositions  of  the  form  R,  and  ifT  matches  /~:{retn_z  tz),  then 

1.  If  A  matches 

@§Xi:(retn_blfi), . . .,  x„:(retn_bn  tn),y:(\/x.  retn.bl  si  •  .  .  .  •  retn.bn  sn  >— >  S')]}-  and 
T  ::  (TqA)  (^r)>  then  T  =  iP}  V  '  (“5  (®i  •■■■•  ®n);  Sp)]T'  where 

( u/x)si  =  Ufor  1  <  i  <  n. 

2.  If  A  matches  BJ[y: (evaLb  Z)J  and  T  ::  (d/;  A)  '^*0p^  (’LjT),  then  T  =  {P}  r  ■ 
(u:  y\  Sp );  T'  where  r  :  Vx.  evaLb  s  >— >  S  G  Op(E). 

Proof.  In  both  cases,  the  proof  is  by  induction  on  the  structure  of  T  and  case  analysis  on  the  first 
steps  in  T.  If  the  first  step  does  not  proceed  by  focusing  on  y  (part  1)  or  focusing  on  a  rule  in  the 
signature  and  consuming  y  (part  2),  then  we  proceed  by  induction  on  the  smaller  trace  to  move 
the  relevant  step  to  the  front.  We  have  to  check  that  the  first  step  doesn’t  output  any  variables 
that  are  input  variables  of  the  relevant  step.  This  is  immediate  from  the  structure  of  R,  S,  and 
transformed  signatures.  □ 

The  main  soundness  theorem  is  Theorem  6.4.  The  first  three  cases  of  Theorem  6.4  are 
straightforward  transformations  from  deductive  proofs  to  deductive  proofs,  and  the  last  two  cases 
are  the  key.  In  the  last  two  cases,  we  take  a  trace  that,  by  its  type,  must  contain  the  information 
needed  to  reconstruct  a  deductive  proof. 
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Theorem  6.4  (Soundness  of  operationalization).  If  all  propositions  in  Y  have  the  form  x:D  pers 
orz:(ppers),  and  all  propositions  in  A  have  the  form  x\D  pers,  z:(ppers),  a;:(evaLb  /), x:  (retn_b  /), 
or  x:R  ord,  then 

1.  If  'i1:  b0p(s)  (p~),  then  TqT  bs  (p~). 

2.  Ifty;  r+,  [£)t]  b0p(s)  (p~d),  then  T;  Y,  [D]  bs  (pd). 

3.  If  rt  b0p(s)  G't,  t/ien  \1>;  T  bs  G. 

4.  If  A  matches  ©t-fjTt]},  Yz  matches  z:(retn_zf2), 
and  ('I';0t§r,a::(evaLaf)}})^*Op(s)  (tf;rz), 

then  there  exists  an  s  s.t.  T;  Y  bs  (a  cts)  and  (\l/;  ©t{y:(retn_a  s)})  (^5  rz). 

5.  If  A  matches  ©t-fjTt]},  Yz  matches  z:(retn_z£2), 

^ ;  rf,  [[Aj  •  •  • )  4J(a,  fra+lj  O’i)]  I- Op(£)  (OC+),  and  (<P;  0*{C+})  ^'0r[Tj)  (*;  rj, 
then  there  exists  a  a  D  a t  such  that  T:  b  bs  [oA^]for  i  <  j  <  n 
and  (\P;  0t{|/:(retn_a  (crfn+i))}) 

Proof  By  induction  on  the  structure  of  the  given  derivation  or  given  trace.  Parts  1  and  3  exactly 
match  the  structure  of  the  completeness  proof  (Theorem  6.2);  the  only  difference  in  Part  2  is  the 
case  where  D  =  \pc  >— >  D’ .  In  his  case,  we  reason  as  follows: 

D  —  \pc  >  >  D',  where  pc  =  ac  b  t2 
D t  =  !(evaLab  >— *■  0(retn_a£2))  >— *•  D1^ 

\&;T,  [!(eval_ab  >-*■  o(retn_a£2))  D’] }  b0p(s)  Sp  :  (pd) 

Sp  =  !(Ax.  (let Tiny});  Sp',  where 

T  ::  (tf;T,a;:(evaLati))  ^*0p(s)  (^T z), 

Yz  matches  y:(retn_at2),  and 

*;r,  p'1]  i-pp(l:)  sP' : 

>t;r,[r>']hESP":{pj) 

t;rhEJV:  (acil3) 

T'  ::  (*;r,j/':(retn_as»  ~-‘0l,Z!  (*;r.) 

T'  —  o,  if  —  y,  and  t2  —  s  (case 

<Y;Y ,\\pc»D']  bs  \N-Sp’:(pd) 

Part  4  we  let  cr0  =  (u/x). 

T  ::  (tf ;  0t({x:(evaLa  t)})  ^*0p(E)  (tf;  T2)  (given) 

T  =  {P}  <—  r  ■  (u;  x:  Sp );  V  (Theorem  6.3  on  T) 

r  :  \/xq.  evaLa  t0  >-►  {Af, . . . ,  A+](a  j tn+ 1 j  id)  G  Op{Y) 
t  =  a0tQ 

»;  r,  Pf , . . . ,  -4J](a,  fn+i,  <To)]  ^Op(E)  Sp :  (OC+) 

AP.r  ::(!■;  et{C+})^*0p(E,(l'iri) 

\l/;  T  bs  Vi  :  [crAb]  for  1  <  j  <  n  (ind.  hyp.  (part  5)  on  Sp  and  T') 

T"  ::  (* ;  0t{y:(retn_a  (a£n+1))})  -*0p(s)  (tf ;  T2) 

We  needed  to  show  a  derivation  and  a  trace:  the  trace  T"  is  precisely  the  latter  thing.  For  the 
derivation  of  a  cts  (for  some  s ),  we  observe  that  r  e  S  has  a  type  equivalent  to  Vp) . . .  Wxf.  Al+  >— > 
Aq  ac  £0  tn+\.  Therefore,  by  letting  s  =  atn+ 1  and  using  the  V)  from  the  induction 


(given) 
(definition  of  Tb) 
(given) 

(inversion  on  the  type  of  Sp) 

(ind.  hyp.  (part  2)  on  Sp) 
(ind.  hyp.  (part  4)  on  T) 

analysis  on  the  structure  of  T') 
(construction) 
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hypothesis  (part  5)  above,  we  can  construct  a  derivation  of  \k;  T  bE  (a cts)  by  focusing  on  r, 
which  is  the  other  thing  we  needed  to  show. 

The  step  above  where  we  assume  that  the  head  of  r  involves  the  predicate  ac  is  the  only 
point  in  the  correctness  proofs  where  we  rely  on  the  fact  that  each  transformed  predicate  evaLa 
is  associated  with  exactly  one  original-signature  predicate  ac  -  if  this  were  not  the  case  and 
evaLa  were  also  associated  with  an  original-signature  predicate  b,  then  we  might  get  the  “wrong” 
derivation  back  from  this  step.  We  do  not  have  to  similarly  rely  on  retn  a  being  similarly  uniquely 
associated  with  ac. 

Part  5  We  are  given  a  spine  T;  T1',  [[A*, . . . ,  An]( a,  tn+ 1,  oy)]  b 0p(s)  Sp  :  (OC+)  and  a  trace 
A P.T  ::  (\k;  0t{C+})  ^0p(E)  (^;  r2).  We  need  to  show  a  a  D  at,  an  T:  T  b 0p(s)  N  :  [a Ajt"] 
for  i  <  j  <  n,  and  V  ::  (T;  ©^(retnj  (<rtn+i))})  ^*0p(E)  ('k;  A*). 

We  proceed  by  case  analysis  on  the  definition  of  the  operationalization  transformation: 

*  |(a,tn+i,(Tn)  =  0(retn_a  (antn+1)) 

This  is  a  base  case:  there  are  no  values  to  construct.  By  inversion  on  the  type  of  P  we  know 
it  has  the  form  y  ::  (\k;  ©l-fretn.a  (crntn+i)})  =^op(S)  ('k;  ©t{y:(retn_a  (crntn+i))}).  Let 
a  —  an  and  we  are  done;  the  trace  T  is  the  necessary  trace. 

Because  (\k;  ©l{retn_a  (crnin+i)})  decomposes  to  (\k;  ©i{?/:(retn_a  (crnt.„+i))}),  we  let 
a  =  an  and  we  are  done. 

*  [!act;nn+1](a,fn+1,o-n_i)  =  0(eval_a  (crn_iC)) 

This  is  also  a  base  case:  we  have  one  value  of  type  !ac  (at™)  (cr£n+i)  to  construct,  where 
a  5  an_i.  By  inversion  on  the  type  of  P  we  know  that  the  pattern  has  the  form  y  :: 
(\k;  0t{evaLa  (<rn£™)})  =^op(e)  (\k;  0t{?/:(evaLa  (crnf™))}).  This  means  we  also  have 
that  T  ::  Ok;  G*{y: (evaLa  (a„t™))})  ^*0p(E) 

By  the  induction  hypothesis  (part  4)  on  T,  we  have  an  s  such  that  T;  T  bE  N  :  (a cts)  and 
a  trace  V  ::  ('k;  ©t{?/:(retn_a  s)})  ^*0p(E)  ('k;  Tz). 

We  can  only  apply  tail-recursion  optimization  when  fn+1  is  fully  general,  which  means  we 
can  construct  a  a  D  cr„_i  such  that  atn+1  =  s.  The  value  we  needed  to  construct  is  just 
\N,  and  the  trace  V  is  in  the  form  we  need,  so  we  are  done. 

*  Ipters >  At+li  ■  ■  ■  ,  Anl(a,  L+l,  (Ti-l)  =  VxL (Ji-lP+ pers  >-»■  {Af+1,  .  .  .  ,  A+]( 3,  tn+1,  0y_i) 

By  type  inversion,  the  spine  Sp  =  ul;z;Sp'.  Let  a,  =  (a,_  i  .ip/Tp).  The  induction 
hypothesis  (part  5)  on  Sp'  and  T  gives  o  D  a,,  values  crAt  for  i  <  j  <  n,  and  a  trace 
Tl  ::  (\k;  0t{7/:(retn_a  (<rt„+i))})  ^0p(e)  (^5  A~~)-  The  remaining  value  of  a  A*  =  ap+ers 
is  just  z. 

*  V-PcV---,-Pcj,Aj+l,---,An}(ai  ^n+1?  l) 

/  evaLbi  (cr,_i£™)  •  . .  .  •  evaLbj  (<7j_if™)  • 

=  O  I  (Vay . . .  VaTj.  retn.bi  (cri-it°ut)  •  . . .  •  retn.bj  (ay-if™*) 

\  ^  [A^"+1, . . . ,  A+](a,fn+i,<Tj_i)) 

( where  p~ .  is  bkc  f™  t^ut  and  FV (f™)  ^  (ay  U  . . .  U  x])  for  i  <  k  <  j) 
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Let  R  =  Vxi .  .  .  VxJ.  retn.bi  (crj_it°ut)  •  . .  .  •  retn.bj  (<7j_itJut) 

^  •  •  •  )^nl( aitn+hai-l) 

By  inversion  on  the  type  of  P,  we  know  it  has  the  form  yu  ■  ■  ■  ,yj,y,  and  we  know  that 

T  ::  ('k;0t{r/i:(evaLbi(a,_ifiin)),...,r/i:(evaLbj(ai_if*n)),r/:JRord})^*Op(s) 

By  j  —  i  applications  of  the  induction  hypothesis  (part  4)  starting  with  T,  we  obtain  for 
i  <  k  <  j  a  derivation  of  'TjT  hs  Nk  :  (bkc  (<7i_it]f)  sk)  and  a  smaller  trace  T"  :: 
('k;  0t{^:(retn_bi  s*), . . . ,  %:(retn_bj  Sj),y:R  ord })  Jp(E)  ('®r;  A2). 

By  Theorem  6.3  we  get  that  T"  =  {P}  y  ■  (ui\ . . . ;  rZJ;  (z*  •  . . .  •  Zj);  Sp ');  V" . 

Let  Oj  =  (cri-^ul/xl, . . .  ,u]/lPj).  Then  we  have  that  sk  =  (Jjt°kut  for  i  <  k  <  j  and 
rt,  p++1, . . . ,  ax ](a,  tn+u  <rj)]  h0p(E)  :  (o c+): 

The  induction  hypothesis  (part  5)  on  Sp'  and  T'"  gives  a  D  a3,  values  aAk  for  j  <  k  <  n, 
and  a  trace  V  ::  (T;  ©^y^retn^a  (crfn+i))})  ^op(s)  (^i  Az).  The  remaining  values  of 
type  aAk  =  !  ( rrpR )  for  i  <  k  <  j  all  have  the  form  \Nk  (where  the  Nk  were  constructed 
above  by  invoking  part  4  of  the  induction  hypothesis). 


* 


[!G,  A++1, . . . ,  -4„](a,  in+i,  crj-r)  —  Vx*.  Icrj-iG^  >— >  \Af , . . . ,  A+\  (a,  tn+ 1,  cr,_i) 

By  type  inversion,  the  spine  Sp  =  uj;\N;Sp'.  Let  rr,  =  (crj_i,  TTi/xi)  The  induction 
hypothesis  (part  5)  on  Sp'  and  T  gives  a  D  au  values  aAl-  for  i  <  j  <  n,  and  a  trace  T  :: 
(XI;;  0t{r/:(retn_a  (crfn+i))})  ^op(S)  (^;  A2).  The  remaining  value  of  type  oAt  =  \{aG) 
is  \N',  where  we  get  'f:  T  hE  Ar/  :  oG  from  the  induction  hypothesis  (part  3)  on  N. 


This  completes  the  proof. 


□ 


6.2  Logical  transformation:  defunctionalization 

Defunctionalization  is  a  procedure  for  turning  nested  SLS  specifications  into  flat  SLS  specifi¬ 
cations.  The  key  idea  is  that  a  nested  rule  can  always  be  simulated  by  a  distinguished  atomic 
proposition  by  inserting  a  rule  into  the  signature  that  teaches  the  atomic  proposition  how  to  act 
like  the  nested  rule.  (Or,  looking  at  it  the  other  way  around,  the  new  atomic  propositions  act  like 
triggers  for  the  additional  rules.)  The  correctness  of  defunctionalization  follows  from  a  simple 
lock-step  bisimulation  argument  -  if  a  trigger  can  cause  a  rule  in  the  defunctionalized  signature 
to  fire,  then  that  trigger  corresponds  to  a  nested  rule  in  the  context  that  can  fire  immediately  in 
the  non-defunctionalized  process  state,  and  vice-versa. 

The  defunctionalization  procedure  implemented  in  the  SLS  prototype  is  actually  three  trans¬ 
formations.  The  first  is  properly  a  defunctionalization  transformation  (Section  6.2.1),  the  second 
is  an  uncurrying  transformation  (Section  6.2.2),  and  the  third  is  a  refactoring  that  transforms  a 
family  of  cont-like  predicates  into  a  single  cont  predicate  and  a  family  of  frames  (Section  6.2.3). 
We  will  explain  each  of  these  transformations  in  turn;  one  example  of  the  full  three-part  defunc¬ 
tionalization  transformation  on  a  propositional  signature  is  given  in  Figure  6.4. 
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a,  b,  c,  d  :  prop  ord, 


a,  b,  c, d  :  prop  ord, 
frame  :  type, 
cont  :  frame  — *  type. 
frameAl  :  frame, 

ruleA  :  a  >— >  {b  •  j,(c  >— >  {d  }) } ,  ruleA  :a^{b«  cont  frameAl}, 

==>•  ruleAl  :  c  •  cont  frameAl  >— >  (d } , 
frameBl  :  frame, 
frameB2  :  frame, 

ruleB  :  c  >— »•  (j,(d  !— >  (j,(a  •  a  >— >  {b})})}  ruleB  :  c  (cont  frameBl}, 

ruleBl  :  d  •  cont  frameBl  >— >  (cont  frameB2}, 
ruleB2  :  a  •  a  •  cont  frameB2  {b} 


Figure  6.4:  Defunctionalization  on  a  nested  SLS  signature 

6.2.1  Defunctionalization 

Defunctionalization  is  based  on  the  following  intuitions:  if  A~  is  a  closed  negative  proposition 
and  we  have  a  single-step  transition  {P}  y  ■  Sp  ::  (4';  Q{y\A~  ord })  (\b;  A'),  then  we 

can  define  an  augmented  signature 


S'  =  E, 

cont  :  prop  ord, 
run.cont  :  cont  >— »•  A~ 

and  it  is  the  case  that  (\b;  0{?/:(cont)})  ~>5y  (4/;  A')  as  well.  Whenever  the  step  {P}  y  ■  Sp  is 
possible  under  E,  the  step  {P}  run.cont  ■  (y;  Sp)  will  be  possible  under  S',  and  vice  versa.  (It 
would  work  just  as  well  for  run.cont  to  be  cont  -»  A~  -  the  persistent  propositions  A+  B 
and  A+  — ^  B~  are  indistinguishable  in  ordered  logic.) 

Because  rules  in  the  signature  must  be  closed  negative  propositions,  this  strategy  won’t  work 
for  a  transition  that  mentions  free  variables  from  the  context.  However,  every  open  proposition 
T  hs  A”  type”  can  be  refactored  as  an  open  proposition  a1:Ti, . . . ,  an:rn  h  B~  type”  and  a 
substitution  a  =  (ti/ai,...  ,tn/an)  such  that  \b  hs  a  :  ap.Ti, . . .  ,an\rn  and  aB~  =  A”.  Then, 
we  can  augment  the  signature  in  this  more  general  form: 

E"  =  E, 

cont  :  IIai:Ti . .  .  YLan:Tn.  prop  ord 

run.cont  :  Map.Ti  . . .  Wan:rn.  cont  ai . .  .an  >—>  P” 

As  before,  whenever  the  step  {P}  y-Sp  ::  (vb;@{?/  :  A~  ord})  (T';  A')  is  possible  under 
E,  the  step  {P}  run.cont  ■  (tp, . . . ;  £n;  y;  Sp)  ::  (\b;  Q{y  :  (cont  p . . .  tn)})  (^5  A')  will 

be  possible  under  E',  and  vice  versa. 
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Taking  this  a  step  further,  if  we  have  a  signature  =  E,  rule  :  . . .  >— >•  0(. . .  •  IB~  •  . . .) 
where  the  variables  a\ . .  ,an  are  free  in  B~ ,  then  any  trace  in  this  signature  will  be  in  lock-step 
bisimulation  with  a  trace  in  this  signature: 

E2=  E, 

cont  :  liai.Ti . .  .  II an:rn.  prop  ord 

rule  0(. . .  •  (cont  a\ . . .  an)  •  . . .) 

run.cont  :  Map.Ti . . .  Man:rn.  cont  a\ . . .  an  >— »•  B~ 

Specifically,  say  that  (T:  Ai)  7 Z  ( \k :  A2)  when  Ai  is  A2  where  all  variable  declarations  of  the 
form  y:(contti . . .  tn)  ord  in  A2  have  been  replaced  by  y:(ti/ai  . . .  tn/an)B~  ord  in  A^  (Note 
that  if  bSo  ('k;  A2)  state  holds,  then  bSl  ('k;  Ax)  state  holds  as  well.)  It  is  the  case  that  if 
Si  ::  (ttjAO  ^*Sl  (tt'jA'J  then  S2  ::  (T;A2)  (*';  A')  where  (*';  A{)  7^  (*';  A'). 

The  opposite  also  holds:  if  S2  ::  ('k;  A2)  ~~A2  (T';  A2)  then  Si  ::  ('k;  Ai)  (T';  A( )  where 
('k';  A'j)  7 Z  (\k';  A2).  For  transitions  not  involving  rule  or  run  cont  in  E2  this  is  immediate,  for 
transitions  involving  rule  we  observe  that  the  propositions  introduced  by  inversion  preserve  the 
simulation,  and  for  transitions  involving  run.cont  we  use  aforementioned  fact  that  the  atomic 
term  y  ■  Spin  Ei  is  equivalent  to  the  atomic  term  run.cont  ■  (h; . .  .;tn;  y ;  Sp)  in  E2. 

We  can  iterate  this  defunctionalization  procedure  on  the  nested  ev/app  rule  from  Figure  6.2: 

ev/app  :  \/E1.VE2.  eval  (app  Ei  E2) 

>— »  {eval  Ei  • 

/(V77.  retn  (lam  Xx.E  x ) 

{eval  E2  •  /(VIA  retn  V2  >— >  {eval  (E  V2)})})}. 

The  outermost  nested  rule  only  has  the  variable  E2  free,  so  the  first  continuation  we  introduce, 
cont  appl.  has  one  argument. 

cont_appl  :  exp  — >  prop  ord, 

ev/app  :  VTA  VTA  eval  (app  Ei  E2)  ^  {eval  E\  •  cont_appl  E2} 
ev/appl  :  VTA  cont.appl  E2  >— ►  ME.  retn  (lam  Xx.E x) 

>— »  {eval  E2  •  /(VIA  retn  V2  !— r  {eval  ( E  V2)})}. 

This  step  turns  ev/app  into  a  flat  rule;  we  repeat  defunctionalization  on  ev/appl  to  get  a  com¬ 
pletely  flat  specification.  This  introduces  a  new  proposition  cont_app2  that  keeps  track  of  the 
free  variable  E  with  type  exp  — >-  exp. 

cont_appl  :  exp  — >  prop  ord, 
cont_app2  :  (exp  — >  exp)  — >  prop  ord, 

ev/app  :  VTA  VTA  eval  (app  Ex  E2)  {eval  Ex  •  cont.appl  E2} 

ev/appl  :  VTA  cont_appl  E2  ME.  retn  (lam  Xx.E  x)  >— >  {eval  E2  •  cont_app2  ( Xx.E  x)}. 
ev/app2  :  ME.  cont_app2  (Xx.E x)  >— >  MV2.  retn  V2  {eval  (E  V2)}. 
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eval :  exp  ->  prop  ord. 
retn:  exp  ->  prop  ord. 
cont_appl :  exp  ->  prop  ord. 


cont_app2 

:  (exp 

-> 

exp)  - 

->  prop  ord. 

ev/lam: 

eval  ( 

lam 

\  x .  E 

x)  >->  {retn  (lam  \x.  Ex)}. 

ev/ app : 

eval  ( 

app 

El  E2 ) 

>->  {eval  El  *  cont_appl  E2 } 

ev/appl : 

retn  ( 

lam 

\  x .  E 

x)  *  cont_appl  E2 

>->  {eval  E2  *  cont_app2  (\x.  Ex)}. 
ev/app2 :  retn  V2  *  cont_app2  (\x.  E  x)  >->  {eval  (E  V2) }. 

Figure  6.5:  Uncurried  call-by-value  evaluation 


6.2.2  Uncurrying 

The  first  arrow  in  a  rule  can  be  freely  switched  between  left  and  right  ordered  implication:  the 
rules  A+  -■—>  { B + }  and  A+  — »  { B+)  are  equivalent,  for  instance.  Pfenning  used  A+  — •  {B+} 
as  a  generic  form  of  ordered  implication  for  this  reason  in  [Pfe04].  This  observation  only  holds 
because  rules  act  like  persistent  resources,  however!  It  does  not  seem  to  be  possible  to  treat 
-*  as  a  real  connective  in  ordered  logic  with  well-behaved  left  and  right  rules  that  satisfy  cut 
admissibility,  and  the  observation  applies  only  to  the  first  arrow:  while  the  rule  rulel  :  A+  >— >• 
B+  {C+}  is  equivalent  to  the  rule  rule2  :  A+  -»  B+  >— ►  {C'+},  these  two  rules  are  not 
equivalent  to  the  rule  rule3  :  A+  > — >  B+  {C+}. 

Uncurrying  tries  to  rewrite  a  rule  so  that  the  only  arrow  is  the  first  one,  taking  an  awkward 
rule  like  A+  >— >•  B+  -»  C+  D+  -»  {E+}  to  the  more  readable  flat  rule  C+  •  A+  •  B+  • 
D+  >— >•  { U  1  } .  Uncurrying  can  only  be  performed  on  persistent  or  linear  propositions  (or  rules 
in  the  signature):  there  is  no  A+  that  makes  the  variable  declaration  x:(p+  >— »•  q+  -»  {r+})  ord, 
equivalent  to  x:(A+  -»  {r+})  ord  or  x\(A+  >— >  {r+})  ord  for  any  A+. 

Thus,  defunctionalization  and  uncurrying  work  well  together:  if  we  replace  the  variable  dec¬ 
laration  x:  ( p+  q+  {r+})  ord  with  the  suspended  ordered  proposition  x:  (cont)  ord  and  add 
a  rule  run_cont  :  cont  p+  >— >  q+  {r+},  that  rule  can  then  be  uncurried  to  get  the  equivalent 
rule  p+  •  cont  •  q+  >— >  {r+}. 

If  we  uncurry  the  defunctionalized  specification  for  CBV  evaluation  from  the  previous  sec¬ 
tion,  we  get  the  SLS  specification  shown  in  Figure  6.5.  This  flat  specification  closely  and  ade¬ 
quately  represents  the  abstract  machine  semantics  from  the  beginning  of  this  chapter,  but  before 
proving  adequacy  in  Section  6.3,  we  will  make  one  more  change  to  the  semantics. 


6.2.3  From  many  predicates  to  many  frames 

This  last  change  we  make  appears  to  be  largely  cosmetic,  but  it  will  facilitate,  in  Section  6.5.4 
below,  the  modular  extension  of  our  semantics  with  recoverable  failure. 
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eval :  exp  ->  prop  ord. 
retn:  exp  ->  prop  ord. 
cont :  frame  ->  prop  ord. 

appl :  exp  ->  frame. 


app2 :  ( 

exp  -> 

exp) 

->  frame. 

ev/lam: 

eval 

( lam 

\x.  E  x)  >- 

>  {retn  (lam  \x. 

Ex)}. 

ev/app : 

eval 

(app 

El  E2 )  >-> 

{eval  El  *  cont 

(appl  E2 ) } 

ev/appl 

:  retn 

( lam 

\x.  Ex)* 

cont  (appl  E2) 

>-> 

{ eval 

E2  *  cont 

(app2  \x .  E  x) } . 

ev/app2 

:  retn 

V2  * 

cont  (app2 

\x.  E  x)  >->  {eval  (E  V2)}. 

Figure  6.6:  A  first-order  ordered  abstract  machine  semantics  for  CBV  evaluation 


The  defunctionalization  procedure  introduces  many  new  atomic  propositions.  The  two  pred¬ 
icates  introduced  in  the  call-by-value  specification  were  called  cont  appl  and  cont  app2,  and 
a  larger  specification  will,  in  general,  introduce  many  more.  The  one  last  twist  we  make  is  to 
observe  that,  instead  of  introducing  a  new  ordered  atomic  proposition  cont  t  for  each  iteration  of 
the  defunctionalization  procedure,  it  is  possible  to  introduce  a  single  type  (frame  :  type)  and  a 
single  atomic  proposition  (cont  :  frame  — >  prop  ord). 

With  this  change,  each  iteration  of  the  defunctionalization  procedure  adds  a  new  constant 
with  type  Iiy\  \T\  . . .  Uym:rm.  frame  to  the  signature  instead  of  a  new  atomic  proposition  with 
kind  II yi.Ti . . .  I  lym:rm.  prop  ord.  Operationally,  these  two  approaches  are  equivalent,  but  it  fa¬ 
cilitates  the  addition  of  control  features  when  we  can  modularly  talk  about  all  of  the  atomic 
propositions  introduced  by  defunctionalization  as  having  the  form  cont  F  for  some  term  F  of 
type  frame. 

The  ordered  abstract  machine  resulting  from  this  version  of  defunctionalization  and  uncurry¬ 
ing  is  shown  in  Figure  6.6;  this  specification  can  be  compared  to  the  one  in  Figure  6.5. 


6.3  Adequacy  with  abstract  machines 

The  four-rule  abstract  machine  specification  given  at  the  beginning  of  this  chapter  is  adequately 
represented  by  the  derived  SLS  specification  in  Figure  6.6.  For  terms  and  for  deductive  compu¬ 
tations,  adequacy  is  a  well-understood  concept:  we  know  what  it  means  to  define  an  adequate 
encoding  function  ren  =  t  from  “on-paper”  terms  e  with  (potentially)  variables  X], ... .  xn  free  to 
LF  terms  t  where  xpexp, . . . ,  xn:exp  F  t  :  exp,  and  we  know  what  it  means  to  adequately  encode 
the  judgment  e  jj.  v  as  a  negative  atomic  SLS  proposition  ev  re~]  riP  and  to  encode  derivations  of 
this  judgment  to  SLS  terms  N  where  •;  •  Fs  N  :  (ev  ren  rwn)  [HHP93,  HL07].  In  Section  4.4  we 
discussed  the  methodology  of  adequacy  and  applied  it  to  the  very  simple  push-down  automata 
from  the  introduction.  In  this  section,  we  will  repeat  this  development  for  Figure  6.6.  The  gen- 
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value:  exp  ->  prop, 
value/lam:  value  (lam  \x.  E  x)  . 


gen :  prop 
gen/eval : 
gen/retn : 
gen/ cont : 


ord . 

gen  >->  {eval  E}. 

gen  *  lvalue  V  >->  {retn  V} . 

gen  >->  {gen  *  cont  F}. 


Figure  6.7:  The  generative  signature  E  Gfm  describing  states  A  that  equal  ir.S'^  for  some  s 


erative  signature  itself  has  a  slightly  different  character,  but  beyond  that  our  discussion  closely 
follows  the  contours  of  the  adequacy  argument  from  Section  4.4. 

Recall  the  definition  of  states  s,  frames  /,  and  stacks  k  from  the  beginning  of  this  chapter. 
Our  first  step  will  be  to  define  an  interpretation  function  rs1  =  A  from  abstract  machine  states 
s  to  process  states  A  so  that,  for  example,  the  state 


((. . .  (halt;  □  ei)  . . .);  ( \x.en )  □)  <  v 


is  interpreted  as  the  process  state 

y\(  retnrt>n),  xn:(cont  (app2  Ax.renn)),  ...,  Xi:(cont  (appl  rein)), 

We  also  define  a  generative  signature  that  precisely  captures  the  set  of  process  states  in  the  image 
of  this  translation.  Having  done  so,  we  prove  that  the  property  that  encoded  abstract  machine 
states  rs"n  A',  where  Ecbv  stands  for  the  signature  in  Figure  6.6,  only  when  A7  =  rs71 

for  some  abstract  machine  state  s'.  Then,  the  main  adequacy  result,  that  the  interpretation  of  state 
s  steps  to  the  interpretation  of  state  s'  if  and  only  if  s  i-»  s',  follows  by  case  analysis. 

6.3.1  Encoding  states 

Our  first  goal  is  to  describe  a  signature  Egen  with  the  property  that  if  a;: (gen)  A  and 

A'iY.av,  then  A  encodes  an  abstract  machine  state  s.  A  well-formed  process  state  that  represents 
an  abstract  machine  state  ((. . .  (halt;  /j); . . .);  fn)  >  e  has  the  form 

2/:  (eval  ren),  xn:(cont  r/rtn),  ...,  Xi:(cont  r/D 

where  rD  e2n  =  applre2n  and  r(\x.e)  CP  =  app2  (Ax.ren).  A  well-formed  process  state 
representing  a  state  k  < \v  has  the  same  form,  but  with  retn  rnn  instead  of  eval  ren.  We  also 
stipulate  that  k  <  v  is  only  well-formed  if  v  is  actually  a  value  -  in  our  current  specifications,  the 
only  values  are  functions  r\x.e~1  =  lam  Ax.ren. 

The  simplest  SLS  signature  that  encodes  well-formed  states  has  the  structure  of  a  context-free 
grammar  like  the  signature  that  encoded  well-formed  PDA  states  in  Figure  4.15.  The  judgment 
value  ren  captures  the  refinement  of  expressions  e  that  are  values.  In  addition  to  the  four  declara¬ 
tions  above,  the  full  signature  Egen  includes  all  the  type,  proposition,  and  constant  declarations 
from  Figure  6.6,  but  none  of  the  rules. 
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Note  that  this  specification  cannot  reasonably  be  run  as  a  logic  program,  because  the  variables 
E,  V  and  F  appear  to  be  invented  out  of  thin  air.  Rather  than  traces  in  these  signatures  being 
produced  by  some  concurrent  computation  (such  as  forward  chaining),  they  are  produced  and 
manipulated  by  the  constructive  content  of  theorems  like  the  ones  in  this  section. 

Theorem  6.5  (Encoding).  Up  to  variable  renaming,  there  is  a  bijective  correspondence  between 
abstract  machine  states  s  and  process  states  A  such  that  T  ::  (a;: (gen)  ord )  A  and 

A^S pda • 

The  proof  of  Theorem  6.5  follows  the  structure  of  Theorem  4.6:  we  first  define  context 
encoding  functions  A1  and  Ir/,-^. 

*  h-/;;  >  e11  =  y:(eval  ren),  ^ k 

*  rrk<iv~n  =  y:( retnrun),  k ”n 

*  ^halt^  =  • 

*  h-/:;;  f~^  =  Xj:(cont  r/n),  k ”n 

It  is  simple  to  observe  that  the  encoding  function  is  injective  (that  ""s1  =  if  and  only 

if  s  =  s'),  so  injectivity  boils  down  to  showing  that  every  state  s  can  be  generated  as  a  trace 
rsn  =  T  ::  (x:(gen))  ^Gen  ^ s "n.  Surjectivity  requires  us  to  do  induction  on  the  structure 
of  T  and  case  analysis  on  the  first  steps  in  T.  Both  steps  require  a  lemma  that  the  notion  of 
value  expressed  by  the  predicate  value  in  E Qen  matches  the  notion  of  values  v  used  to  define 
well-formed  states  k  < \v. 

6.3.2  Preservation  and  adequacy 

Generated  world  preservation  proceeds  as  in  Section  4.4.3  and  Theorem  4.7;  this  theorem  has  a 
form  that  we  will  consider  further  in  Chapter  9. 

Theorem  6.6  (Preservation).  IfTx  ::  (a;: (gen))  ^^Gen  An  Ai^cbv,  and  S  ::  A1  ^ecbv  A2, 
then  T2  ::  (a: (gen))  A2- 

The  proof  proceeds  by  enumerating  the  synthetic  transitions  possible  under  E Cbv,  performing 
inversion  on  the  structure  of  the  trace  7\,  and  using  the  results  to  construct  the  necessary  result. 
This  is  the  most  interesting  part  of  the  adequacy  proof,  and  a  generalization  of  this  preserva¬ 
tion  proof  is  carefully  considered  in  Section  9.2  along  with  a  more  detailed  discussion  of  the 
relevant  inversion  principles.  With  this  property  established,  the  final  step  is  a  straightforward 
enumeration  as  Theorem  4.8  in  Section  4.4.4  was. 

Theorem  6.7  (Adequacy  of  the  transition  system),  ""s1  ^t,cbv  ""s'11  if  and  only  if  s  s'. 

As  in  Section  4.4.4,  the  proof  is  a  straightforward  enumeration.  An  immediate  corollary  of 
Theorems  6. 5-6.7  is  the  stronger  adequacy  result  that  if  ■~^y.ci1v  A  then  A  =  irY^  for  some 
s'  such  that  s  s'. 


175 


[fixx.e/x]e  1J.  v 

ev/ fix : 

eval 

>-> 

(fix  ( \ x . 
{eval  (E 

E  x)  ) 

(fix  ( \ x .  E  x )  ) )  }  . 

fixate  fj.  v 

(HO 

ev/ unit : 

eval 

unit  >-> 

{ retn  unit }  . 

ei  J|  v\  e2  1J.  v2 

ev/ pair : 

eval 

(pair  El 

E2 ) 

(ei,e2)  JJ.  (vi,v2) 

ev/pairl : 

>-> 

{eval  El 

*  eval  E2  *  cont  pairl}. 

retn 

VI  *  retn 

V2  *  cont  pairl 

e  JJ-  (v1,v2) 

ev/ fst : 
ev/f stl : 

>-> 

eval 

retn 

{retn  (pa 

(fst  E)  > 
(pair  VI 

ir  VI  V2 ) } . 

->  {eval  E  *  cont  fstl}. 
V2)  *  cont  fstl  >->  {retn 

e.l  11  vi 

e  JJ.  {vuv2) 

ev/ snd : 
ev/ sndl : 

eval 

( snd  E )  > 

->  {eval  E  *  cont  sndl}. 
V2)  *  cont  sndl  >->  {retn 

e.2  11  v2 

retn 

(pair  VI 

z  J|  z 

ev/ zero : 

eval 

zero  >-> 

{ retn  zero } . 

e  jj.  v 

ev/ succ : 

eval 

(succ  E) 

>->  {eval  E  *  cont  sued} 

selj.su 

ev/succl : 

retn 

V  *  cont 

sued  >->  {retn  (succ  V)  } 

Figure  6.8:  Semantics  of  some  pure  functional  features 


6.4  Exploring  the  image  of  operationalization 

The  examples  given  in  the  previous  section  all  deal  with  call-by-value  semantics  for  the  untyped 
lambda  calculus,  which  has  the  property  that  any  expression  will  either  evaluate  forever  or  will 
eventually  evaluate  to  a  value  Xx.e.  We  now  want  to  discuss  ordered  abstract  machines  with 
traces  that  might  get  stuck.  One  way  to  raise  the  possibility  of  stuck  states  is  to  add  values  besides 
Xx.e.  In  Figure  6.8  we  present  an  extension  to  Figure  6.6  with  some  of  the  features  of  a  pure 
“Mini-ML”  functional  programming  language:  fixed-point  recursion  (rfixa:.en  =  fix  Ax.ren), 
units  and  pairs  (r()n  =  unit,  r(e1:  e2)n  =  pair  re1~]  re2n),  projections  (re.ln  =  fst  ren),  re.2n  = 
snd  ren),  and  natural  numbers  (rzn  =  zero,  rsen  =  succren).  The  natural  semantics  is  given 
on  the  left-hand  side  of  that  figure,  and  the  operationalized  and  defunctionalized  ordered  abstract 
machine  that  arises  from  (an  SLS  encoding  of)  that  natural  semantics  is  given  on  the  right. 

Note  that,  facilitated  by  the  nondeterminism  inherent  in  operationalization,  we  chose  parallel 
evaluation  of  pairs  even  though  the  execution  of  functions  is  sequential  in  Figure  6.6.  Tradi¬ 
tional  abstract  machine  semantics  are  syntactic  and  do  not  handle  parallel  evaluation;  therefore, 
it  is  not  possible  to  show  that  this  ordered  abstract  machine  adequately  encodes  a  traditional  ab¬ 
stract  machine  presentation  of  Mini-ML.  Nevertheless,  the  SSOS  specification  as  a  whole  adapts 
seamlessly  to  the  presence  of  this  new  feature. 

As  we  discussed  in  Chapter  4,  when  we  treat  a  natural  semantics  specification  as  an  inductive 
definition,  only  the  behavior  of  terminating  computations  can  be  observed,  and  it  is  not  possible 
to  distinguish  a  non-terminating  term  like  Y\xx.x  from  a  stuck  term  like  z.l  without  relying  on 
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ei  JJ.  v 

ev/ choosel : 

eval 

(choose  El 

ei  ®  e2  11  v 

>-> 

{ eval  El } . 

e2  JJ-  v 

ev/ choose2 : 

eval 

(choose  El 

ei  ®  e2  11  v 

>-> 

{ eval  E2 } . 

Figure  6.9:  Semantics  of  nondeterministic  choice 


a  characterization  of  partial  proofs.  This  is  one  of  the  problems  that  Leroy  and  Grail  sought 
to  overcome  in  their  presentation  of  coinductive  big-step  operational  semantics  [LG09].  They 
defined  the  judgment  e  If00  coinductively;  therefore  it  is  easy  to  express  the  difference  between 
non-terminating  terms  (fixx.x  fl°°)  and  stuck  ones  (there  is  no  v  such  that  z.l  JJ.  v  or  z.l 

The  translation  of  natural  semantics  into  ordered  abstract  machines  also  allows  us  to  distin¬ 
guish  ftxx.x  from  z.l.  The  former  expression  generates  a  trace  that  can  always  be  extended: 

xi:(eval  (fix Xx. x))  ^  X2'.(eval  (fix Ax. x))  ^  X3:(eval  (fixAx.x))  . 

whereas  the  latter  gets  stuck  and  can  make  no  more  transitions: 

£i:(eval  (fstzero))  x2:(eval  zero),  ?/:(contfstl)  x3:(retn  zero),  ?/:(contfstl)  76- 

Because  (£3: (retn  zero),?/: (contfstl))  is  not  a  final  state  -  only  states  consisting  of  a  single 
retn  ren  proposition  are  final  -  this  is  a  stuck  state  and  not  a  completed  computation. 

Thus,  for  deterministic  semantics,  both  coinductive  big-step  operational  semantics  and  the 
operationalization  transformation  represent  ways  of  reasoning  about  the  difference  between  non¬ 
termination  and  failure  in  a  natural  semantics.  Our  approach  has  the  advantage  of  being  auto¬ 
matic  rather  than  requiring  the  definition  of  a  new  coinductive  relation  e  ff°°,  though  it  would 
presumably  be  possible  to  consider  synthesizing  the  definition  of  e  ff°°  from  the  definition  of 
e  JJ.  v  by  an  analogue  of  our  operationalization  transformation. 

In  Section  6.4.1,  we  discuss  the  advantages  that  operationalization  has  in  dealing  with  nonde¬ 
terministic  language  features.  These  advantages  do  come  with  a  cost  when  we  consider  natural 
semantics  specifications  that  make  deterministic  choices,  which  we  discuss  in  Section  6.4.2. 

6.4.1  Arbitrary  choice  and  failure 

For  the  purposes  of  illustration,  we  will  extend  the  language  of  expressions  with  a  nondetermin¬ 
istic  choice  operator  rei  ®  e2n  =  choose  rein  re2n).  The  two  natural  semantics  rules  for  this 
extension  and  their  (tail-recursion  optimized)  operationalization  are  shown  in  Figure  6.9. 

We  need  to  think  about  the  desired  semantics  of  expressions  like  (A y.  y)  ©  z.l  -  if  the  first 
subexpression  (A y.  y )  is  chosen  for  evaluation,  then  the  expression  evaluates  to  a  value,  but  if  the 
second  subexpression  z.l  is  chosen,  then  the  evaluation  gets  stuck.  Small-step  intuitions  about 
language  safety  say  that  this  is  a  possibility  we  should  be  able  to  express,  if  only  to  exclude  it 
with  an  appropriately  designed  type  system  and  type  safety  proof.  The  ordered  abstract  machine 
semantics  allows  us  to  produce  traces  where  a;:  (eval  r(A y.  y)  ®  z.ln)  j/:(ev a  I  (lam  A y.y))  and 
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where  x:(evalr(A y.y)  ©  z.l-1)  (x':(retn  zero),  7/:(contfstl))  as  we  would  hope.  Natural 
semantics  specifications  (including  coinductive  big  step  operational  semantics)  merely  conclude 
that  (A y.yy)  ©  z.l  JJ.  (A y.yy).  Capturing  the  stuck  behavior  in  this  situation  would  require 
defining  an  extra  inductive  judgment  capturing  all  the  situations  where  e  can  get  stuck,  which  is 
verbose  and  error-prone  [Harl2,  Section  7.3]. 

Our  ability  to  reason  about  evaluations  that  go  wrong  is  an  artifact  of  the  fact  that  SLS  allows 
us  to  talk  about  traces  T  that  represent  the  process  of  incomplete  proof  search  in  addition  to 
talking  about  complete  proofs.  A  trace  that  reaches  a  state  that  is  not  a  final  retn  riP  state  but 
that  cannot  step  further,  like  T  ::  (x:(evalr(A y.y)  ©  z.l-1))  (x':(retn zero), y:(contfstl)), 
corresponds  to  a  point  at  which  backward  chaining  proof  search  must  backtrack  (in  a  backtrack¬ 
ing  interpreter)  or  immediately  fail  (in  a  flat  resolution  interpreter).  The  trace  above  corresponds 
semantically  to  a  failing  or  going-wrong  evaluation,  implying  that  backtracking  is  not  the  correct 
choice.  Such  an  evaluation  ought  to  fail,  and  therefore  faithfully  capturing  the  semantics  of  non- 
deterministic  choice  e\  ®  e2  with  a  natural  semantics  requires  us  to  use  a  particular  operational 
interpretation  of  the  natural  semantics  that  is  based  on  non-backtracking  backward  chaining  (flat 
resolution).  The  operationalization  transformation  allows  us  to  concretize  this  particular  opera¬ 
tional  strategy  with  traces. 

6.4.2  Conditionals  and  factoring 

It  is  great  that  we’re  able  to  reason  about  nondetermini  Stic  specifications  in  the  output  of  the 
operationalization  transformation!  However,  a  complication  arises  if  we  try  to  encode  a  Mini- 
ML  feature  that  was  conspicuously  missing  from  Figure  6.8:  the  elimination  form  for  natural 
numbers  rcaseeofz  =>  ez  \  sx  =>-  esn  =  case  ren  rezn  (Ax.resn).  The  usual  natural  semantics 
for  case  analysis  look  like  this: 

e  ]/  z  ez  1/  v  el/sr/  [v'/x\es§v 

7 - 7 - r - ev/casez  - - - - . - - - ,  ,,  ev/cases 

(case  e  of  z  =$>  ez  \  s  x  =>-  es)  JJ.  v  (case  e  of  z  =>■  ez  \  s  x  =>■  es)  JJ.  v 

If  we  operationalize  this  specification  directly,  we  get  an  ordered  abstract  machine  shown  in 
Figure  6.10  before  defunctionalization  and  in  Figure  6.11  after  defunctionalization.  This  spec¬ 
ification  is  nondeterministic  much  as  the  specification  of  e\  ©  e2  was:  we  can  evaluate  a  case 
expression  either  with  rule  ev/casez,  which  effectively  predicts  that  the  answer  will  be  zero,  or 
with  rule  ev / cases,  which  effectively  predicts  that  the  answer  will  be  the  successor  of  some  value. 
But  this  means  that  it  is  possible  to  get  stuck  while  executing  an  intuitively  type-safe  expression 
if  we  predict  the  wrong  branch: 

Xi:(eval  (casezeroe^  Ax.  es)) 

^  X2:(eval  zero),  |/2:(cont  (cases  Ax.  es)) 

X3:(retn  zero),  y2:(cont  (cases  Ax.  es)) 

rh  OH) 

This  is  a  special  case  of  a  well-known  general  problem:  in  order  for  us  to  interpret  the  usual 
natural  semantics  specification  (rules  ev/casez  and  ev/cases  above)  as  an  operational  specifica¬ 
tion,  we  need  backtracking.  With  backtracking,  if  we  try  to  evaluate  e  using  one  of  the  rules  and 
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ev/casez:  eval  (case  E  Ez  (\x.  Es  x) ) 

>->  {eval  E  *  (retn  zero  >->  {eval  Ez})}. 

ev/cases:  eval  (case  E  Ez  (\x.  Es  x) ) 

>->  {eval  E  *  (All  V' .  retn  (succ  V' )  >->  {eval  (Es  V' ) } ) } . 

Figure  6.10:  Problematic  semantics  of  case  analysis  (not  defunctionalized) 


ev/casez:  eval  (case  E  Ez  (\x.  Es  x) ) 

>->  {eval  E  *  cont  (casez  Ez) } . 
ev/casezl:  retn  zero  *  cont  (casez  Ez) 

>->  { eval  Ez } . 


ev/cases:  eval  (case  E  Ez  (\x.  Es  x) ) 

>->  {eval  E  *  cont  (cases  \x.  Es  x) } . 
ev/casesl:  retn  (succ  V)  *  cont  (cases  \x.  Es  x) 
>->  { eval  (Es  V) } . 


Figure  6.11:  Problematic  semantics  of  case  analysis  (defunctionalized) 


fail,  a  backtracking  semantics  means  that  we  will  apply  the  other  rule,  re-evaluating  the  scrutinee 
e  to  a  value.  Backtracking  is  therefore  necessary  for  a  correct  interpretation  of  the  standard  rules 
above,  even  though  it  is  incompatible  with  a  faithful  account  of  nonde  termini  Stic  choice!  Some¬ 
thing  must  give:  we  can  either  give  up  on  interpreting  nondeterministic  choice  correctly  or  we 
can  change  the  natural  semantics  for  case  analysis.  Luckily,  the  second  option  is  both  possible 
and  straightforward. 

It  is  possible  to  modify  the  natural  semantics  for  case  analysis  to  avoid  backtracking  by  a 
transformation  called  factoring.  Factoring  has  been  expressed  by  Poswolsky  and  Schurmann 
as  a  transformation  on  functional  programs  in  a  variant  of  the  Delphin  programming  language 
[PS03].  It  can  also  be  seen  as  a  generally-correct  logical  transformation  on  Prolog,  AProlog,  or 
Twelf  specifications,  though  this  appears  to  be  a  folk  theorem.  We  factor  this  specification  by 
creating  a  new  judgment  (v ez,  x.es )  JJ/  v  that  is  mutually  recursive  with  the  definition  of  e  v. 


e  v'  (v',ez,x.es)  f|?  v 
(case  e  of  z  ez  \  s  x  =>  es)  fj.  v 


ev/case 


ez!fv 


(z,ez,x.e3)  v 


casen/z 


[v’ /x\es  ij.  v 
(sv',ez,x.es)  f|?  v 


ca  sen/s 


This  natural  semantics  specifications  is  provably  equivalent  to  the  previous  one  we  gave  when 
rules  are  interpreted  as  inductive  definitions.  Not  only  are  the  same  judgments  e  JJ.  v  derivable, 
the  set  of  possible  derivations  are  isomorphic,  and  it  is  possible  to  use  the  existing  metatheo- 
retic  machinery  of  Twelf  to  verify  this  fact.  In  fact,  the  two  specifications  are  also  equivalent 
if  we  understand  natural  semantics  in  terms  of  the  success  or  failure  backtracking  proof  search, 
though  the  factored  presentation  avoids  redundantly  re-evaluating  the  scrutinee.  It  is  only  when 
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ev/case : 


eval  (case  E  Ez  (\x.  Es  x) ) 

>->  {eval  E  * 

(All  V'  .  retn  V'  >->  {casen  V'  Ez  (\x.  Es  x) } ) } . 

casen/z:  casen  zero  Ez  (\x.  Es  x)  >->  {eval  Ez}. 

casen/s:  casen  (succ  V')  Ez  (\x.  Es  x)  >->  {eval  (Es  V')}. 

Figure  6.12:  Revised  semantics  of  case  analysis  (not  defunctionalized) 

ev/case:  eval  (case  E  Ez  (\x.  Es  x) ) 

>->  {eval  E  *  cont  (easel  Ez  (\x.  Es  x) ) } . 

ev/casel :  retn  V'  *  cont  (easel  Ez  (\x.  Es  x) ) 

>->  {casen  V'  Ez  (\x.  Es  x) } . 

casen/z:  casen  zero  Ez  (\x.  Es  x)  >->  {eval  Ez}. 

casen/s:  casen  (succ  V')  Ez  (\x.  Es  x)  >->  {eval  (Es  V')}. 

Figure  6.13:  Revised  semantics  of  case  analysis  (defunctionalized) 


we  interpret  the  natural  semantics  specification  through  the  lens  of  non-backtracking  backward 
chaining  (also  called  flat  resolution)  that  the  specifications  differ. 

The  operationalization  of  these  rules  is  shown  in  Figure  6.12  before  defunctionalization  and 
in  Figure  6.13  after  defunctionalization.  In  those  figures,  the  standard  evaluation  judgment 
e  JJ.  v  is  given  the  now-familiar  evaluation  and  return  predicates  eval  and  retn.  The  judgment 
(v',ez,x.es)  j|?  v  is  given  the  evaluation  predicate  casen,  and  shares  the  return  predicate  retn 
with  the  judgment  e  JJ.  v.  This  is  a  new  aspect  of  operationalization.  It  is  critical  for  us  to  assign 
each  predicate  ac  uniquely  to  an  evaluation  predicate  evaLa  -  without  this  condition,  soundness 
(Theorem  6.4)  would  fail  to  hold.  However,  we  never  rely  on  ac  being  uniquely  assigned  a  return 
predicate.  When  return  predicates  that  have  the  same  type  are  allowed  to  overlap,  it  enables  the 
tail-call  optimization  described  in  Section  6.1.3  to  apply  even  when  the  tail  call  is  to  a  different 
procedure.  This,  in  turn,  greatly  simplifies  Figures  6.12  and  6.13. 

6.4.3  Operationalization  and  computation 

When  we  described  the  semantics  of  nondetermini  Stic  choice  e\  ®  e2,  our  operational  intuition 
was  to  search  either  for  a  value  such  that  e±  JJ.  v  or  a  value  such  that  e2  (l  v.  This  implies  an  op¬ 
erational  interpretation  of  natural  semantics  as  flat  resolution  as  opposed  to  backward  chaining 
with  backtracking.  Maintaining  this  non-backtracking  intuition  means  that  some  natural  seman¬ 
tics  specifications,  such  as  those  for  case  analysis,  need  to  be  revised.  It  is  a  folk  theorem  that 
such  revisions  are  always  possible  by  factoring  [PS03];  therefore,  we  can  conclude  that  in  the 
context  of  natural  semantics  specifications  the  form  of  deductive  computation  (Section  4.6.1) 
that  we  are  most  interested  in  is  flat  resolution. 

Under  the  operationalization  transformation,  traces  represent  the  internal  structure  of  proof 
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search,  and  a  non-extendable  (and  non-final)  trace  represents  a  situation  in  which  backward 
chaining  search  backtracks  and  where  flat  resolution  search  gives  up.  If  we  search  for  a  trace 
(x:(eval  ren))  (y:(retn  run))  in  an  operationalized  specification  using  committed-choice 
forward  chaining,  the  operational  behavior  will  coincide  with  the  behavior  of  flat  resolution  in 
the  original  specification.  Alternatively,  if  we  take  the  exhaustive  search  interpretation  of  an 
operationalized  specification  and  attempt  to  answer,  one  way  or  the  other,  whether  a  trace  of 
the  form  (x:(eval  ren))  (y\( retn  riP))  can  be  constructed,  then  the  operational  behavior  of 
the  interpreter  will  coincide  with  the  behavior  of  backtracking  backward  chaining  in  the  original 
specification. 

Therefore,  operationalization  can  be  said  to  connect  backward  chaining  in  the  deductive  frag¬ 
ment  of  SLS  to  forward  chaining  in  the  concurrent  fragment  of  SLS.  More  precisely,  opera¬ 
tionalization  both  connects  flat  resolution  to  committed-choice  forward  chaining  and  connects 
backtracking  backward  chaining  to  the  exhaustive  search  interpretation  of  forward  chaining. 


6.5  Exploring  the  richer  fragment 

Work  by  Danvy  et  al.  on  the  functional  correspondence  has  generally  been  concerned  with  ex¬ 
ploring  tight  correspondences  between  different  styles  of  specification.  However,  as  we  dis¬ 
cussed  in  Section  5.3,  one  of  the  main  reasons  the  logical  correspondence  in  SLS  is  interesting  is 
because,  once  we  translate  from  a  less  expressive  style  (natural  semantics)  to  a  more  expressive 
style  (ordered  abstract  machine  semantics),  we  can  consider  new  modular  extensions  in  the  more 
expressive  style  that  were  not  possible  in  the  less  expressive  style.  As  we  discussed  in  Chapter  1, 
extending  a  natural  semantics  with  state  requires  us  to  revise  every  existing  rule,  whereas  a  SSOS 
specification  can  be  extended  in  a  modular  fashion:  we  just  insert  new  rules  that  deal  with  state. 
The  opportunities  for  modular  extension  are  part  of  what  distinguishes  the  logical  correspon¬ 
dence  we  have  presented  from  the  work  by  Hannan  and  Miller  [HM92]  and  Ager  [Age04].  Both 
of  those  papers  translated  natural  semantics  into  a  syntactic  specification  of  abstract  machines; 
such  specifications  are  not  modularly  extensible  to  the  degree  that  concurrent  SLS  specifications 
are. 

The  ordered  abstract  machine  style  of  specification  facilitates  modular  extension  with  fea¬ 
tures  that  involve  state  and  parallel  evaluation.  We  have  already  seem  examples  of  the  latter:  the 
operationalization  translation  (as  extended  in  Section  6.1.4)  can  put  a  natural  semantics  specifi¬ 
cation  into  logical  correspondence  with  either  a  sequential  ordered  abstract  machine  semantics 
or  a  parallel  ordered  abstract  machine  semantics,  and  our  running  example  evaluates  pairs  in  par¬ 
allel.  In  this  section,  we  will  consider  some  other  extensions,  focusing  on  stateful  features  like 
mutable  storage  (Section  6.5.1)  and  call-by-need  evaluation  (Section  6.5.2).  We  will  also  discuss 
the  semantics  of  recoverable  failure  in  Section  6.5.4.  The  presentation  of  recoverable  failure 
will  lead  us  to  consider  a  point  of  non-modularity:  if  we  want  to  extend  our  language  flexibly 
with  non-local  control  features  like  recoverable  failure,  the  parallel  operationalization  translation 
will  make  this  difficult  or  impossible.  A  more  modular  semantics  of  parallel  evaluation  will  be 
presented  in  Section  7.2.1. 

This  section  will  present  extensions  to  the  sequential,  flat  abstract  machine  for  parallel  eval¬ 
uation  presented  in  Figure  6.6.  We  first  presented  most  of  these  specifications  in  [PS09]. 
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cell:  mutable_loc  ->  exp  ->  prop  lin. 


ev/loc : 

eval 

(loc  L) 

>-> 

{ retn  (loc  L) } . 

ev/ref : 

eval 

(ref  E) 

>-> 

{eval  E  *  cont 

ref 1 } . 

ev/ ref 1 : 

retn 

V  *  cont  refl 

>-> 

{Exists  1.  $cell  1  V  *  retn 

ev/get : 

eval 

(get  E) 

>-> 

{eval  E  *  cont 

getl } . 

ev/getl : 

retn 

(loc  L)  *  cont 

getl  *  $cell 

>-> 

{retn  V  *  $cell 

L  V}  . 

ev/set : 

eval 

(set  El  E2 ) 

>-> 

{eval  El  *  cont 

(setl  E2)  }  . 

ev/setl : 

retn 

(loc  L)  *  cont 

(setl  E2) 

>-> 

{eval  E2  *  cont 

(set2  L) } . 

ev/set2 : 

retn 

V2  *  cont  (set2 

L)  *  $cell 

>-> 

{retn  unit  *  $cell  L  V2 } . 

Figure  6.14:  Semantics  of  mutable  storage 

6.5.1  Mutable  storage 

Classic  stateful  programming  languages  feature  mutable  storage,  which  forms  the  basis  of  im¬ 
perative  algorithms.  We  will  consider  ML-style  references,  which  add  four  new  syntax  forms  to 
the  language.  The  first  three  create  (rref  en  =  ref  ren),  dereference  (Hen  =  get  ren),  and  update 
(rei  :=  e2n  =  set r e{^  re2n)  dynamically  allocated  cells  in  the  heap.  The  fourth,  loc  l,  is  a  value 
that  represents  pointers  to  allocated  memory.  The  term  l  is  of  a  type  mutable  Joe  that  has  no 
constructors;  locations  l  can  only  be  allocated  at  runtime.  We  also  introduce  a  new  linear  atomic 
proposition  cell  l  v  representing  a  piece  of  allocated  memory  (at  location  /)  and  its  contents  (the 
value  v).  (Recall  from  Section  4.5  that,  in  the  ASCII  notation  for  SLS,  these  linear  propositions 
are  written  $cell  L  V,  as  $  is  used  as  the  ASCII  representation  of  the  mobile  modality  j  A) 
A  collection  of  linear  propositions  acts  much  like  one  of  Jeannin  and  Kozen’s  capsules 
[JK12],  but  unlike  capsule  formulations  (and  most  other  existing  specification  frameworks),  we 
can  introduce  state  in  this  way  without  revising  any  of  the  rules  introduced  in  the  previous  sec¬ 
tion.  Without  mutable  state  or  parallel  computation,  specifications  such  as  the  one  in  Figure  6.8 
maintain  the  invariant  that  the  process  state  A  is  made  up  of  either  a  eval  e  proposition  or  a  retn  v 
proposition  to  the  left  of  some  number  of  cont  /  propositions.  Once  we  add  mutable  state,  the 
first-order  (or  LF)  context  T,  which  has  been  empty  in  the  SSOS  semantics  we  have  considered 
so  far,  becomes  non-empty.  We  maintain  the  invariant  that  the  context  has  one  mutable  location 
for  each  allocated  cell: 

(AmutableJoc, . . . ,  Zn:mutableJoc;  xi:(cell  l\  v\), . . .  ,xn:(ce\\lnvn),  A) 
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where  A  has  the  form  described  before.  Because  the  cell  lt  vt  propositions  are  mobile,  the  order 
of  cells  is  irrelevant,  as  is  the  placement  of  these  cells  relative  to  the  control  structure  encoded  in 
the  context  A. 

The  semantics  of  mutable  storage  are  presented  in  Figure  6.14.  Rule  ev/get  in  that  figure 
takes  an  expression  get  E  and  evaluates  E  to  a  value  of  the  form  loc  L.  After  that,  rule  ev/getl 
takes  the  (unique,  by  invariant)  cell  associated  with  the  location  L,  reads  its  value,  and  restores 
the  cell  to  the  context.  The  synthetic  transition  associated  with  ev/getl  is  as  follows: 

(T;  @-f[x:(retn  (locZ)),  ?/:(contgetl),  z:(cell  (u)}}) 

(\P;  0{tu:  (retn  v)  ord,  z':(ce\\ l  v)  eph}) 

Again,  it  is  critical,  when  reading  this  transition,  to  account  for  the  fact  that  retn  and  cont  are 
ordered  predicates  but  cell  is  a  mobile  predicate. 

The  set  rules  are  similar,  except  that  we  also  evaluate  a  new  value  t>2  and  restore  that  value 
to  the  process  state  instead  of  the  value  previously  contained  in  the  cell.  We  mention  cell  l  _  in 
the  premise  of  ev/set2  only  to  consume  the  old  cell  associated  with  l  before  we  replace  it  with 
something  new.  If  multiple  parts  of  a  process  state  are  trying  to  consume  the  same  resource  in 
order  to  set  the  value  of  a  cell  concurrently,  we  have  a  race  condition;  this  possibility  is  discussed 
below. 

Finally,  the  ref  rules  evaluate  the  subexpression  to  a  value  v  and  then,  in  rule  ev/refl,  allocate 
a  new  cell  to  hold  that  value.  This  new  cell,  according  to  our  context  invariant,  needs  to  be 
associated  with  a  new  variable  l,  which  we  generate  with  existential  quantification  in  the  head 
of  the  ev/refl  rule.  The  synthetic  transition  associated  with  ev/refl  therefore  has  an  extended 
first-order  context  after  the  transition: 

(\P;  0§x:(retnu),  y:(cont  refl) ]f) 

^  ('T, /:mutable_loc;  @{u;:  (retn  (loc/))  ord,  ^r:  (cell  l  v)  eph}) 


Existential  angst 

Our  semantics  of  mutable  storage  uses  existential  quantification  as  a  symbol  generator  to  conjure 
up  new  locations.  However,  it  is  important  to  remember  that  LF  variables  in  T  are  defined  by 
substitution,  so  if  there  is  a  step  (\l/,  Z^loc,  Z2:  loc;  A)  ^  (T,  /1:loc,  Z2 : loc;  A'),  it  must  also  be  the 
case  that  (T,  Zi: loc;  [Zi/Z2]  A)  ^  (T,  Zi : loc;  [Zi/Z2]  A').  Therefore,  there  can  be  no  SLS  proposi¬ 
tion  or  synthetic  transition  that  holds  only  if  two  variables  are  distinct,  since  by  definition  the 
same  proposition  or  synthetic  transition  would  hold  when  we  unified  the  two  variables.  This,  in 
turn,  means  our  specification  of  Mini-ML  with  mutable  references  cannot  be  further  extended  to 
include  the  tests  for  reference  equality  that  languages  like  Standard  ML  or  OCaml  have,  since 
locations  are  described  only  as  variables. 

One  workaround  to  this  problem  is  to  maintain  an  association  between  distinct  variables  / 
and  distinct  concrete  terms  (usually  distinct  natural  numbers)  in  the  process  state.  It  is  possible 
to  use  generative  signatures  to  enforce  that  all  well-formed  states  associate  distinct  variables 
with  distinct  concrete  terms,  as  described  in  Section  9.4.4.  In  such  a  specification,  we  can  use 
inequality  of  the  concrete  terms  as  a  proxy  for  inequality  of  the  variables.  It  will  still  be  the  case 
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that  unifying  distinct  variables  preserves  transitions,  but  we  can  ensure  that  any  process  state 
obtained  by  unifying  distinct  variables  is  not  well-formed  according  to  the  generative  invariant. 

I  believe  that  a  substructural  treatment  of  nominal  quantification  could  be  incorporated  into 
SLS  and  would  allow  for  locations  to  be  handled  in  a  more  satisfying  way  along  the  lines  of  pro¬ 
posals  by  Cheney  and  Harper  [Chel2,  Harl2].  This  extension  to  the  SLS  framework  is  beyond 
the  scope  of  this  thesis,  however.  Luckily,  aside  from  being  unable  to  elegantly  represent  tests 
for  pointer  inequality  or  the  entirety  of  Harper’s  Modernized  Algol  [Harl2,  Chapter  35],  we  will 
not  miss  name  generation  facilities  much  in  the  context  of  this  thesis.  One  of  the  most  important 
use  cases  of  name  generation  and  nominal  abstraction  is  in  reasoning  about  logical  specifica¬ 
tions  within  a  uniform  logic  [GMN1 1],  and  this  thesis  does  not  consider  a  uniform  metalogic  for 
SLS  specifications. 


Race  conditions 

Because  ordered  abstract  machine  semantics  allow  us  to  add  both  state  and  parallelism  to  speci¬ 
fications,  the  issue  of  race  conditions,  which  arise  whenever  there  is  both  concurrency  and  state, 
should  be  briefly  addressed.  Fundamentally,  SLS  and  SSOS  specifications  have  no  notion  of 
atomicity  beyond  the  one  provided  by  focusing  and  synthetic  inference  rules,  and  so  race  condi¬ 
tions  can  arise. 


(Z  :  mutableJoc;  x±:  (cell  l  zero)  eph, 

x2:(retn  (succzero))  ord ,  x3:(cont  (set2 /))  ord, 
x4:(retn  (succ  (succzero)))  ord ,  £5:(cont  (set2/))  ord , 
x6:(cont  pairl)  ord ) 

Figure  6.15:  A  racy  process  state 


A  process  state  that  starts  out  containing  only  eval  r(Ax. (seta;  (sz),  seta;  (s(sz))))(refz)n, 
for  example,  can  evaluate  to  the  process  state  in  Figure  6.15.  Two  different  transitions  out  of  this 
state  can  both  manipulate  the  data  associated  with  the  mutable  location  /  -  this  is  a  race  condition. 
Reasoning  about  race  conditions  (and  possibly  precluding  them  from  well-formed  specifications) 
is  not  within  the  scope  of  this  thesis.  The  applicability  of  generative  invariants  discussed  in 
Chapter  9  to  race  conditions  is,  however,  certainly  an  interesting  topic  for  future  work.  If  we  set 
up  the  semantics  such  that  a  situation  like  the  one  above  could  nondeterministically  transition  to 
an  ill-formed  error  state,  then  it  would  not  be  possible  to  prove  the  preservation  of  the  generative 
invariant  unless  the  well-formedness  criteria  expressed  by  that  invariant  precluded  the  existence 
of  race  conditions. 

Let  us  consider  what  happens  when  we  operationalize  a  natural  semantics  that  uses  state. 
Recall  that  the  addition  of  an  imperative  counter  to  the  natural  semantics  for  semantics  for  CBV 
evaluation  was  presented  as  a  non-modular  extension,  because  we  had  to  revise  the  existing  rules 
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for  functions  and  application  as  follows: 

_  (ei,n)  J|  (Ax-e,/^)  (e^r^)  JJ-  (u2,n2)  ([t>2/^]e2,  Zf2)  'll  (v,nD 

{Xx.e,  n)  JJ-  {Xx.e,  n)  {e±  e2,  n)  JJ-  {v,  n/_) 

In  the  pure  CBV  specification,  the  two  premises  e\  JJ-  Xx.e  and  e2  JJ-  v2  could  be  treated  as  in¬ 
dependent  and  could  be  made  parallel  by  the  operationalization  transformation,  but  the  two 
premises  (ei,n)  JJ-  {Xx.e,  n^)  and  (e2,Zh)  ^  (n2,n2)  are  not:  the  first  premise  binds  nl5  which 
appears  as  an  input  argument  to  the  second  premise.  Therefore,  from  the  perspective  of  opera¬ 
tionalization,  parallel  evaluation  and  state  are  simply  incompatible:  having  state  in  the  original 
specification  will  preclude  parallel  evaluation  (and  therefore  race  conditions)  in  the  operational¬ 
ized  specification. 

Ordered  abstract  machine  semantics  allow  for  the  modular  composition  of  mutable  storage 
and  parallel  evaluation,  in  that  the  original  specifications  can  be  simply  composed  to  give  a 
semantically  meaningful  result.  However,  composing  mutable  storage  and  parallel  evaluation 
leads  to  the  possibility  of  race  conditions  (which  can  be  represented  in  SLS),  indicating  that  this 
composition  is  not  always  a  good  idea  if  we  want  to  avoid  race  conditions.  Adding  state  to  a 
natural  semantics  specification,  on  the  other  hand,  will  force  operationalization  to  produce  an 
ordered  abstract  machine  without  parallelism. 

6.5.2  Call-by-need  evaluation 

Mutable  references  were  an  obvious  use  of  ambient  state,  and  we  were  able  to  extend  the  or¬ 
dered  abstract  machine  obtained  from  the  operationalization  transformation  by  simply  adding 
new  rules  for  mutable  references  (though  this  did  introduce  the  possibility  of  race  conditions). 
Another  completely  modular  extension  to  our  (now  stateful)  Mini-ML  language  is  call-by-need 
evaluation.  The  basic  idea  in  call-by-need  evaluation  is  that  an  expression  is  not  evaluated  ea¬ 
gerly;  rather,  instead,  it  is  stored  until  the  value  of  that  expression  is  demanded.  Once  a  value  is 
needed,  it  is  computed  and  the  value  of  that  computation  is  memoized;  therefore,  a  suspended 
expression  will  be  computed  at  most  once. 

This  section  considers  two  rather  different  implementations  of  by-need  evaluation:  the  first, 
recursive  suspensions,  presents  itself  to  the  programmer  as  a  different  sort  of  fixed-point  operator, 
and  the  second,  lazy  call-by-need,  presents  itself  to  the  programmer  as  a  different  sort  of  function. 
Both  approaches  to  lazy  evaluation  are  based  on  Harper’s  presentation  [Harl2,  Chapter  37]. 

Recursive  suspensions 

Recursive  suspensions  (Figure  6.16)  replace  the  fixed-point  operator  fixx.e  with  a  thunked  ex¬ 
pression  rthunk  x.en  =  thunk  (Ax.  ren).  Whereas  the  fixed-point  operator  returns  a  value  (or 
fails  to  terminate),  thunked  expressions  always  immediately  return  a  value  issusp  l,  where  l  is  a 
location  of  type  bindJoc.  This  location  is  initially  associated  with  a  linear  atomic  proposition 
susp  l  (Ax.ren)  (rule  ev/thunk). 

When  we  apply  the  force  operator  to  an  expression  that  returns  issusp  l  for  the  first  time,  the 
location  l  stops  being  associated  with  a  linear  atomic  proposition  of  the  form  susp  l  (Ax.ren)  and 
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susp:  bind_loc  ->  (exp  ->  exp)  ->  prop  lin. 
blackhole:  bind_loc  ->  prop  lin. 
bind:  bind_loc  ->  exp  ->  prop  pers . 


ev/susp : 

eval 

(issusp  L 

)  >->  {retn  (issusp  L) } . 

ev/thunk : 

eval 

>-> 

(thunk  \x 
{Exists  1 

.  E  x) 

.  $susp  1  (\x.  Ex)*  retn  (issusp  1) } 

ev/f orce : 

eval 

>-> 

(force  E) 
{eval  E  * 

cont  forcel } . 

ev/forcela : 

retn 

>-> 

(issusp  L)  *  cont  forcel  *  $susp  L  (\x.  E'  x) 
{eval  (E'  (issusp  L) )  *  cont  (bindl  L)  * 
$blackhole  L } . 

ev/f orce2a : 

retn 

>-> 

V  *  cont 

{retn  V  * 

(bindl  L)  *  $blackhole  L 
! bind  L  V} . 

# |  STUCK  - 

retn 

(issusp  L 

)  *  cont  forcel  *  $blackhole  L  >->  ??? 

ev/forcelb : 

retn 

>-> 

(issusp  L 
{ retn  V} . 

)  *  cont  forcel  *  (bind  L  V 

I# 


Figure  6.16:  Semantics  of  call-by-need  recursive  suspensions 


becomes  associated  with  a  linear  atomic  proposition  of  the  form  blackhole  /  (rule  ev/forcela). 
This  blackhole  l  proposition  can  be  used  to  detect  when  an  expression  tries  to  directly  reference 
its  own  value  in  the  process  of  computing  to  a  value.  In  this  example,  such  a  computation  will  end 
up  stuck,  but  the  comparison  with  fix  x.x  suggests  that  the  semantically  correct  option  is  failing  to 
terminate  instead.  A  rule  with  the  premise  retn  (issusp  /)  •  cont  forcel  •  blackhole  l  could  instead 
be  used  to  loop  endlessly  or  signal  failure.  This  possibility  is  represented  in  Figure  6.16  by  the 
commented-out  rule  fragment -#  |  this  is  comment  syntax  |  #. 

Once  a  suspended  expression  has  been  fully  evaluated  (rule  ev/force2b),  the  black  hole  is 
removed  and  the  location  /  is  persistently  associated  with  the  value  v,  future  attempts  to  force  the 
same  suspended  expression  will  trigger  rule  ev/forcelb  instead  of  ev/forcela  and  will  immedi¬ 
ately  return  the  memoized  value. 

The  last  four  rules  in  Figure  6.16  (and  the  one  commented-out  rule  fragment)  are  all  part 
of  one  multi-stage  protocol.  It  may  be  enlightening  to  consider  the  refunctionalization  of  Fig¬ 
ure  6.16  presented  in  Figure  6.17.  This  rule  has  a  conjunctive  continuation  (using  the  additive 
conjunction  connective  A~  &  B~)  with  one  conjunct  for  two  of  the  three  atomic  propositions 
a  bindJoc  can  be  associated  with:  the  linear  proposition  susp  /  (Ax.e),  the  linear  proposition 
blackhole  /  (which  cannot  be  handled  by  the  continuation  and  so  will  result  in  a  stuck  state),  and 
the  persistent  proposition  bind  /  v. 
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ev/force:  eval  (force  E) 

>->  {eval  E  * 

( (All  L.  All  E' . 

retn  (issusp  L)  *  $susp  L  (\x.  E'  x) 

>->  {eval  (E'  (issusp  L) )  *  $blackhole  L  * 

(All  V.  retn  V  *  $blackhole  L 
>->  {retn  V  *  Ibind  L  V}) }) 

#|  STUCK  -  &  (All  L.  retn  (issusp  L)  *  $blackhole  L  >->  ???)  |# 

&  (All  L.  All  V. 

retn  (issusp  L)  *  Ibind  L  V  >->  {retn  V}))}. 


Figure  6.17:  Semantics  of  call-by-need  recursive  suspensions,  refunctionalized 


susp' :  exp 

->  exp  ->  prop  lin. 

blackhole' : 

exp  ->  prop  lin. 

bind' :  exp 

->  exp  ->  prop  pers . 

ev/lazylam: 

eval  (lazylam  \x.  E  : 

ev/ applazy : 

retn  (lazylam  \x.  E  : 
>->  {Exists  x : exp .  ■ 

ev/susp' : 

eval  X  *  susp'  X  E 
>->  {$blackhole'  X 

ev/suspl' : 

retn  V  *  cont  (bindl 
>->  {retn  V  *  Ibind 

ev/bind' : 

eval  X  *  Ibind'  X  V 

x)  >->  {retn  (lazylam  \x.  Ex)}. 

x)  *  cont  (appl  E2) 

eval  (E  x)  *  $susp'  x  E2 } . 

eval  E  *  cont  (bindl'  E) } . 

X)  *  $blackhole'  X 
X  V}  . 

->  { retn  V} . 


Figure  6.18:  Semantics  of  lazy  call-by-need  functions 


Lazy  evaluation 

Recursive  suspensions  must  be  forced  explicitly;  an  alternative  to  recursive  suspensions,  which 
uses  very  similar  specification  machinery  but  that  presents  a  different  interface  to  the  program¬ 
mer,  is  lazy  call-by-need  function  evaluation.  Lazy  evaluation  better  matches  the  semantics  of 
popular  call-by-need  languages  like  Haskell.  For  this  semantics,  we  will  not  create  a  new  abstract 
location  type  like  mutableJoc  or  bind  Joe;  instead,  we  will  associate  suspended  expressions  (and 
black  holes  and  memoized  values)  with  free  expression  variables  of  type  exp. 

We  can  treat  lazy  call-by-need  functions  (lazylam  Xx.e)  as  an  extension  to  the  language  that 
already  includes  call-by-value  functions  (lam  Xx.e)  and  application;  this  extension  is  described 
in  Figure  6.18.  Lazy  functions  are  values  (rule  ev/lazylam),  but  when  a  lazy  function  is  returned 
to  a  frame  rD  e2n  =  appl  re2n,  we  do  not  evaluate  re2n  to  a  value  immediately.  Instead,  we 
create  a  free  variable  x  of  type  exp  and  substitute  that  into  the  lazy  function. 

Free  variables  x  are  now  part  of  the  language  of  expressions  that  get  evaluated,  though  they 
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ev/envlam:  eval  (envlam  \x.  E  x)  >->  { retn  (envlam  \x.  Ex)}. 

ev/appenvl:  retn  (envlam  \x.  E  x)  *  cont  (appl  E2) 

>->  {Exists  x.  eval  E2  *  cont  (app2'  x  (Ex))}. 

ev/appenv2:  retn  V2  *  cont  (app2'  X  E) 

>->  {eval  E  *  !bind'  X  V2 } . 

Figure  6.19:  Environment  semantics  for  call-by-value  functions 


are  not  in  the  language  of  values  that  get  returned.  Therefore,  we  need  some  way  of  evaluat¬ 
ing  free  variables.  This  is  handled  by  the  three  rules  ev/susp',  ev/suspl',  and  ev/bind'  as  be¬ 
fore.  Each  free  expression  variable  x  is  either  associated  with  a  unique  linear  atomic  proposition 
susp'  x  e2,  a  black  hole  blackhole'  x,  or  a  persistent  binding  bind'  x  v. 

As  a  final  note,  call-by-need  evaluation  is  semantically  equivalent  to  call-by-name  evaluation 
in  a  language  that  does  not  otherwise  use  state.  Unevaluated  suspensions  can  therefore  be  ignored 
if  they  are  not  needed.  For  this  reason,  if  SLS  were  extended  with  an  affine  modality,  it  would 
be  quite  reasonable  to  view  susp  and  susp'  as  affine  atomic  propositions  instead  of  linear  atomic 
propositions.  However,  as  long  as  we  restrict  ourselves  to  considering  traces  rather  than  complete 
derivations,  the  differences  between  affine  and  linear  propositions  are  irrelevant. 

6.5.3  Environment  semantics 

Toninho,  Caires,  and  Pfenning  have  observed  that  call-by-need  and  call-by-value  can  both  be 
seen  in  a  larger  family  of  sharing  evaluation  strategies  (if  and  when  the  argument  to  Xx.e  is 
evaluated,  the  work  of  evaluating  that  argument  to  a  value  is  shared  across  all  occurrences  of  x). 
Call-by-name,  in  contrast,  is  called  a  copying  evaluation  strategy,  since  the  unevaluated  argument 
of  Xx.e  is  copied  to  all  occurrences  of  x  [TCP12].  This  relationship  between  the  lazy  call-by- 
need  semantics  from  Figure  6.18  and  call-by-value  is  better  presented  by  giving  a  variant  of  what 
we  called  an  environment  semantics  in  [PS09]. 

As  with  the  lazy  call-by-name  semantics,  we  introduce  the  environment  semantics  by  creat¬ 
ing  a  new  function  value  envlam  (Ax.  e)  instead  of  reinterpreting  the  existing  function  expression 
lam  (Ax.  e).  When  a  value  of  the  form  lazylam  (Ax.  e)  was  returned  to  a  frame  appl  e2  in  rule 
ev/applazy  from  Figure  6.18,  we  immediately  created  a  new  expression  variable  x,  suspended 
the  argument  e2,  and  scheduled  the  function  body  for  evaluation.  When  a  value  of  the  form 
envlam  (Ax.  e)  is  returned  to  a  frame  appl  e2  frame  in  rule  ev/appenvl  in  Figure  6.19,  we  like¬ 
wise  create  the  new  expression  variable  x,  but  we  suspend  the  function  body  in  a  frame  app2'  x  e 
that  also  records  the  new  expression  variable  x  and  schedule  the  argument  for  evaluation.  Imme¬ 
diately  evaluating  the  argument  is,  of  course,  exactly  how  call-by-value  evaluation  is  performed; 
this  is  what  makes  environment  semantics  equivalent  to  call-by-value  semantics.  Then,  when  the 
evaluated  function  argument  v2  is  returned  to  that  frame  (rule  ev/appenv2),  we  create  the  same 
persistent  binding  bind  xv2  that  was  generated  by  rule  ev/suspl'  in  Figure  6.18  and  proceed  to 
evaluate  the  function  body.  Upon  encountering  the  free  variable  x  in  the  course  of  evaluation, 
the  same  rule  ev/bind'  from  Figure  6.18  will  return  the  right  value. 
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error:  prop  ord. 
handle:  exp  ->  prop  ord. 


ev/fail:  eval  fail  >->  {error}, 

ev/error:  error  *  cont  F  >->  {error}. 


ev/catch : 
ev/catcha : 
ev/catchb : 


eval  (catch  El  E2)  >->  {eval  El  *  handle  E2 } . 
retn  V  *  handle  _  >->  {retn  V}. 
error  *  handle  E2  >->  {eval  E2 } . 


Figure  6.20:  Semantics  of  recoverable  failure 


This  presentation  of  the  environment  semantics  is  designed  to  look  like  call-by-need,  and  so 
it  creates  the  free  variable  x  early,  in  rule  ev/appenvl.  It  would  be  equally  reasonable  to  create 
the  free  variable  x  later,  in  rule  ev/appenv2,  which  would  result  in  a  specification  that  resembles 
Figure  6.6  more  closely.  This  is  what  was  done  in  [PS09]  and  [SPlla],  and  we  will  use  a  similar 
specification  (Figure  8.3)  as  the  basis  for  deriving  a  control  flow  analysis  in  Section  8.4. 

6.5.4  Recoverable  failure 

In  a  standard  abstract  machine  presentation,  recoverable  failure  can  be  introduced  by  adding 
a  new  state  s  =  k<  to  the  existing  two  (s  =  k>  e  and  s  =  k  <  v)  [Harl2,  Chapter  28]. 
Whereas  k  <  v  represents  a  value  being  returned  to  the  stack,  k<  represents  failure  being  re¬ 
turned  to  the  stack;  failure  is  signaled  by  the  expression  fail7  and  can  be  handled  by  the  expression 
rtry  e\  ow  e2n  =  catch  re1n  re2n. 

We  can  extend  sequential  ordered  abstract  machines  with  exceptions  in  a  modular  way,  as 
shown  in  Figure  6.20.  Recall  that  a  sequential  ordered  abstract  machine  specification  is  one 
where  there  is  only  one  ordered  eval  e  or  retn  v  proposition  in  the  process  state  to  the  right  of 
a  series  of  ordered  cont  /  propositions  -  process  states  with  eval  ren  correspond  to  states  k  >  e 
and  process  states  with  retn  rtP  correspond  to  states  /;:  <1  v. 

We  introduce  two  new  ordered  atomic  propositions.  The  first,  error,  is  introduced  by  rule 
ev/fail.  A  state  with  an  error  proposition  corresponds  to  a  state  k<  in  traditional  ordered  abstract 
machine  specifications.  Errors  eat  away  at  any  cont  /  propositions  to  their  right  (rule  ev/error). 
The  only  thing  that  stops  the  inexorable  march  of  an  error  is  the  special  ordered  atomic  proposi¬ 
tion  handle  e  that  is  introduced  in  rule  ev/catch  when  we  evaluate  the  handler. 

This  is  one  case  where  the  use  of  defunctionalized  specifications  -  and,  in  particular,  our 
decision  to  defunctionalize  with  a  single  cont  /  proposition  instead  of  inventing  a  new  ordered 
atomic  proposition  at  every  step  (Section  6.2.3)  -  gives  us  a  lot  of  expressive  power.  If  we  wanted 
to  add  exceptions  to  the  higher-order  specification  of  Mini-ML,  we  would  have  to  include  the 
possibility  of  an  exceptional  outcome  in  every  individual  rule.  For  instance,  this  would  be  the 
rule  for  evaluating  rs  en  =  succ  ren: 

7Failure  could  also  be  introduced  by  actions  like  as  dividing  by  zero  or  encountering  the  black  hole  in  the 
commented-out  case  of  Figure  6. 16. 
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ev/succ:  eval  (succ  E) 

>->  {eval  E  * 

( (All  V.  retn  V  >->  {retn  (succ  V) }) 

&  (error  >->  {error}))}. 

Instead,  this  case  is  handled  generically  by  rule  ev/error  in  Figure  6.20,  though  the  above  speci¬ 
fication  is  what  we  would  get  if  we  were  to  refunctionalize  the  defunctionalized  specification  of 
core  Mini-ML  from  Figure  6.8  extended  with  rule  ev/error. 

Failures  and  the  parallel  translation 

Our  semantics  of  recoverable  failure  composes  reasonably  well  with  stateful  features,  though 
arguably  in  call-by-need  evaluation  it  is  undesirable  that  forcing  a  thunk  can  lead  to  errors  being 
raised  in  a  non-local  fashion.  However,  recoverable  failure  does  not  compose  well  with  parallel 
semantics  as  we  have  described  them. 

We  assume,  in  rule  ev/error,  that  we  can  blindly  eliminate  cont  /  frames  with  the  ev/error 
rule.  If  we  eliminate  the  cont  pairl  frame  from  Figure  6.8  in  this  way,  it  breaks  the  invariant  that 
the  ordered  propositions  represent  a  branching  tree  written  down  in  postfix.  Recall  that,  without 
exceptions,  a  piece  of  process  state  in  the  process  of  evaluating  r(ei,  e2)n  =  pair  re1~'  re2n  has 
the  following  form: 

(subgoal:  evaluating  ei),  (subgoal:  evaluating  e2),  y: (cont  pairl) 

If  the  second  subgoal  evaluating  e2  signals  an  error,  that  error  will  immediately  propagate  to  the 
right,  orphaning  the  first  subgoal.  Conversely,  if  the  first  subgoal  signals  an  error,  that  error  will 
have  to  wait  until  the  first  subgoal  completes:  SLS  specifications  are  local,  and  there  is  no  local 
way  for  the  first  subgoal  to  talk  about  its  continuation  y:  (cont  pairl)  because  an  arbitrary  amount 
of  stuff  (the  representation  of  the  second  subgoal)  is  in  the  way.  This  seems  to  force  us  into 
treating  parallel  evaluations  asymmetrically:  if  eraise  signals  failure  and  eioop  loops  forever,  then 
the  two  Mini-ML  pair  expressions  ( eraiSe ,  eioop)  and  (eioop,  erinse)  are  observably  different.  That 
is  arguably  bad,  though  if  we  switch  the  relative  position  of  e\  and  e2  in  the  context,  it  can  also 
be  seen  as  an  implementation  of  the  sequential  semantics  for  exceptions  followed  by  Manticore 
[FRR08], 

A  fix  is  to  modify  defunctionalization  to  group  similar  propositions  rather  than  grouping 
all  propositions  into  the  single  proposition  cont.  Specifically,  we  defunctionalize  sequential 
propositions  of  the  form  Vx.  retn  v  >— ►  {. . .}  using  one  ordered  atomic  proposition  cont  /  and 
defunctionalize  parallel  propositions  of  the  form  Vx.  retn  V\  •  retn  v2  >— ►  {. . .}  using  a  different 
ordered  atomic  proposition  cont2  /.  This  lets  us  write  rules  that  treat  parallel  continuations 
generically  and  that  only  return  errors  when  both  sub-computations  have  completed  and  at  least 
one  has  signaled  an  error: 

ev/errerr:  error  *  error  *  cont2  _  >->  {error}, 

ev/errretn:  error  *  retn  _  *  cont2  _  >->  {error}, 
ev/retnerr:  retn  _  *  error  *  cont2  _  >->  {error}. 

This  is  a  big  improvement,  because  parallel  pairs  are  again  treated  symmetrically.  But  it’s  not  the 
way  we  necessarily  wanted  to  restore  symmetry:  the  evaluation  (erajse,  eioop)  and  (e/00?),  ermsf) 
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will  both  loop  forever,  but  we  might  wish  for  both  of  them  to  signal  failure.  The  latter  alternative 
is  not  expressible  in  an  ordered  abstract  machine  specification. 

Part  of  the  problem  is  that  recoverable  failure  is  fundamentally  a  control  feature  and  not  a 
stateful  or  parallel  programming  language  feature.  As  a  result,  it  is  not  easy  to  handle  at  the  level 
of  ordered  abstract  machines,  because  ordered  abstract  machines  do  not  give  the  specification 
author  enough  access  to  the  control  structure.  The  destination-passing  style  we  consider  in  the 
next  chapter,  on  the  other  hand,  will  give  us  sufficient  access  to  control  structure. 

6.5.5  Looking  back  at  natural  semantics 

Mutable  storage,  call-by-need  evaluation,  and  the  environment  semantics  are  all  modular  exten¬ 
sions  to  the  call-by-value  specification  in  Figure  6.6.  The  extensions  are  modular  because  they 
make  essential  use  of  the  ambient  context  available  to  concurrent  SLS  specifications,  introducing 
new  linear  and  persistent  ordered  atomic  propositions  that  can  be  added  to  the  context  (and,  in 
the  linear  case,  removed  as  well). 

For  extensions  to  sequential  ordered  abstract  machines  that  are  only  based  on  extending  the 
state,  we  can  consider  what  it  would  mean  to  reverse-engineer  a  natural  semantics  formalism  that 
is  as  extensible  as  the  resulting  ordered  abstract  machine.  The  primary  judgment  of  such  a  spec¬ 
ification  is  not  e  JJ.  v  as  before;  rather,  the  primary  judgment  becomes  {e||/r}^  JJ.  {v ||/i}^/.* * * * * * 8  The 
variable  contexts  T  and  T'  are  the  same  variable  contexts  that  appear  in  our  process  states  (\&;  A) 
and  our  specifications  are  expected  to  maintain  the  invariant  that  T  C  T'.  The  objects  e  and  v 
remain  syntactic  objects  adequately  encodable  in  LF,  as  before,  whereas  /i  is  an  extensible  bag 
of  judgments  /i  =  Ji  0  . . .  (8)  Jn  that  correspond  to  the  propositions  in  our  linear  and  persistent 
context;  we  treat  0  as  an  associative  and  commutative  operator  (just  like  conjunction  of  linear 
logic  contexts).  A  new  judgment  in  an  SLS  specification  can  be  treated  as  a  new  member  of  the 
syntactic  class  J.  For  instance,  lazy  call-by-need  functions  as  defined  in  Figure  6.18  use  three 
judgments:  i4e  (corresponding  to  susp'xe),  (corresponding  to  blackhole'  x),  and  x—>v 
(corresponding  to  bind'  x  v).  We  can  give  a  statefully-modular  natural  semantics  for  call-by-need 
lazy  functions  as  follows: 


{\x.e\\n}y  JJ.  {Xx.e\\n}q, 

{ei||/x}tf  JJ-  {\x.e\\/j,'}y  {e||x<-4e2  0  //}*', x  JJ-  {n|| //'}*" 

{ei  e2||/x}xi>  {u||//"}*» 

{e\\x^»  0  n}<a,x  JJ-  {nllxM-#  0 

{x\\x^-e  0  JJ-  {v \\x->v  0  fjf}q,/jX 

{x\\x->v  0  JJ-  {v\\x->v  0 

While  the  definition  of  e  JJ.  v  could  be  directly  encoded  as  a  deductive  SLS  specification, 

the  definition  of  {e||//}^  JJ.  {w|| //}$/  cannot.  Nevertheless,  the  example  above  suggests  that 

8The  notation  {e|| //}>[,  is  intended  to  evoke  Harper’s  notation  z/£{e||/i},  which  is  used  to  describe  mutable 
references  and  lazy  evaluation  in  Chapters  36  and  37  of  [Harl2],  The  critical  semantic  distinction  is  that  our  T 
contains  variables  whereas  £  contains  proper  symbols  that  are  not  available  in  SLS,  as  discussed  in  Section  6.5.1. 
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#mode  inc  + 

inc :  nat  ->  nat  ->  prop 


inc/eps 
inc/bO : 
inc/bl : 


inc  eps  (c  eps  bl ) . 
inc  (c  N  bO)  (c  N  bl) . 
inc  (c  N  bl)  (c  R  bO)  <-  inc  N  R. 


#mode  plus  +  +  -. 
plus:  nat  ->  nat  ->  nat  ->  prop. 
plus/eN:  plus  eps  N  N. 
plus/Ne:  plus  N  eps  N. 


plus/bOO : 

plus 

(c 

M 

bO) 

(c 

N 

bO) 

(c 

R 

bO) 

<-  plus 

M 

N 

R. 

plus/bOl : 

plus 

(c 

M 

bO) 

(c 

N 

bl) 

(c 

R 

bl) 

<-  plus 

M 

N 

R. 

plus/blO : 

plus 

(c 

M 

bl) 

(C 

N 

bO) 

(c 

R 

bl) 

<-  plus 

M 

N 

R. 

plus/bll : 

plus 

(c 

M 

bl) 

(C 

N 

bl) 

(c 

R 

bO) 

<-  plus 

M 

N 

K  <-  inc  K  R 

Figure  6.21:  Backward-chaining  logic  program  for  binary  addition 


a  carefully-defined  formalism  for  statefully-modular  natural  semantics  specifications  could  be 
similarly  compiled  into  (or  defined  in  terms  of)  the  operationalization  of  specifications  into  SLS. 

There  is  a  great  deal  of  work  on  special-purpose  formalisms  for  the  specification  and  modu¬ 
lar  extension  of  operational  semantics.  The  specification  above  follows  Harper’s  development  in 
[Harl2],  and  Mosses’s  Modular  Structural  Operational  Semantics  (MSOS)  is  a  similar  develop¬ 
ment  [Mos04].  Previous  work  is  primarily  interested  in  the  modular  extension  of  small-step 
structural  operational  semantics  specifications  rather  than  big-step  natural  semantics,  though 
Mosses  does  discuss  the  latter.  The  operationalization  transformation  applies  to  SOS  specifi¬ 
cations  (as  discussed  below  in  Section  6.6.2),  but  the  result  is  something  besides  an  ordered 
abstract  machine  semantics. 

The  functional  correspondence  connects  structural  operational  semantics  and  abstract  ma¬ 
chines  [Dan08].  A  logical  correspondence  between  SOS  specifications  and  ordered  abstract 
machines  in  SLS  might  give  us  insight  into  a  modular  formalism  for  SOS  that  is  defined  in  terms 
of  concurrent  SLS  specifications,  but  this  is  left  for  future  work. 


6.6  Other  applications  of  transformation 

Thus  far,  we  have  only  discussed  the  application  of  the  operationalization  and  defunctionalization 
transformations  to  natural  semantics  specifications.  However,  both  transformations  are  general 
and  can  be  applied  to  many  different  specifications. 

In  this  section,  we  will  consider  the  meaning  of  operationalization  on  three  other  types  of 
deductive  SLS  specifications:  an  algorithmic  specification  of  addition  by  Pfenning,  small-step 
structural  operational  semantics  specifications,  and  the  natural  semantics  of  Davies’  staged  com¬ 
putation  language  A°.  The  last  two  transformations  explore  the  use  of  partial  operationalization 
in  which  we  use  the  generality  of  operationalization  to  transform  only  some  of  the  predicates  in 
a  program. 
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retn:  nat  - 

>  prop  ord. 

cont :  frame 

->  prop  ord. 

inc/eps : 

inc 

eps  >->  {retn  (c  eps  bl)}. 

inc/bO : 

inc 

(c  N  bO) 

>->  { retn  (c  N  bl ) } 

inc/bl : 

inc 

(c  N  bl) 

>->  {inc  N  *  cont  appendO}. 

plus/ eN : 

plus 

eps  N  >- 

>  { retn  N } . 

plus/Ne : 

plus 

N  eps  >- 

>  { retn  N } . 

plus/bOO : 

plus 

(c  M  bO ) 

(c  N  bO)  >->  {plus 

M  N 

*  cont 

appendO } 

plus/bOl : 

plus 

(c  M  bO ) 

(c  N  bl)  >->  {plus 

M  N 

*  cont 

appendl } 

plus/blO : 

plus 

(c  M  bl ) 

(c  N  bO)  >->  {plus 

M  N 

*  cont 

appendl } 

plus/bll : 

plus 

(c  M  bl ) 

(c  N  bl)  >->  {plus 

M  N 

*  cont 

carry} . 

plus/ carry : 

retn 

K  *  cont 

carry  >->  {inc  K  * 

cont 

appendO } . 

cont/ 0 : 

retn 

R  *  cont 

appendO  >->  {retn 

(c  R 

bO)  }  . 

cont/1 : 

retn 

R  *  cont 

appendl  >->  {retn 

(c  R 

bl)  }  . 

Figure  6.22:  Forward-chaining  logic  program  for  binary  addition 

6.6.1  Binary  addition 

In  the  notes  for  his  Spring  2012  course  on  Linear  Logic,  Pfenning  gave  two  algorithmic  spec¬ 
ifications  of  binary  addition  as  logic  programs;  in  both  cases,  binary  numbers  are  represented 
as  lists  of  bits,  either  ren  =  eps,  rnOn  =  crn~'  bO,  or  rnln  =  crnn  bl.  The  first  specification 
was  given  as  a  forward-chaining  ordered  abstract  machine  [Pfel2d],  and  the  second  specification 
was  given  as  a  backward  chaining  logic  program  [Pfel2b].  Because  these  operational  speci¬ 
fications  were  developed  independently  of  operationalization,  this  provides  an  interesting  and 
relatively  simple  test-case  for  operationalization,  defunctionalization,  and  their  implementation 
in  the  SLS  prototype. 

The  backward-chaining  logic  program  for  binary  addition  is  presented  in  Figure  6.21;  the 
three-place  relation  plus  depends  on  a  two-place  relation  inc  that  handles  carry  bits.  We  opera¬ 
tionalize  this  specification  by  giving  plus  and  inc  the  evaluation  predicates  plus  and  inc,  respec¬ 
tively,  and  giving  them  the  same  return  predicate,  retn. 

In  the  direct  operationalization  of  Figure  6.21,  we  can  observe  that  there  are  three  separate 
continuation  frames  (associated  with  the  rules  inc/bl,  plus/bOO,  and  plus/bll)  that  do  the  exact 
same  thing:  cause  the  bit  0  to  be  appended  to  the  end  of  the  returned  number.  With  this  obser¬ 
vation,  we  can  consolidate  these  three  frames  and  the  rules  associated  with  them  into  one  frame 
appendO  and  one  rule  cont/0  in  Figure  6.22.  Similarly,  continuation  frames  associated  with  rules 
plus/bOl  and  plus/blO  both  append  the  bit  1,  and  can  be  consolidated  into  the  frame  appendl  and 
the  rule  cont/1  in  Figure  6.22.  (The  only  remaining  frame  is  associated  with  the  rule  plus/bll 
and  invokes  the  increment  procedure  inc  to  handle  the  carry  bit.)  With  the  exception  of  the  ere- 


#mode  value 

+ . 

value:  exp 

->  prop. 

value/lam: 

value  (lam  \x.  E  x) . 

#mode  step 

+  - . 

step:  exp  - 

>  exp  ->  prop. 

step/appl : 

step  (app  El  E2)  (app  El'  E2) 

<-  step  El  El' . 

step/app2 : 

step  (app  El  E2)  (app  El  E2') 

<-  value  El 

<-  step  E2  E2' . 

step/ appred 

:  step  (app  (lam  \x.  E  x)  V)  (E 

V)  <-  value 

#mode  evsos 

+  - . 

evsos :  exp 

->  exp  ->  prop. 

evsos/steps 

:  evsos  E  V  <-  step  E  E'  <-  evsos  E'  V. 

evsos/value 

:  evsos  V  V  <-  value  V. 

V. 


Figure  6.23:  SOS  evaluation 


ation  of  redundant  continuations,  which  could  certainly  be  addressed  by  giving  a  more  robust 
implementation  of  defunctionalization,  Figure  6.22  can  be  seen  as  a  direct  operationalization  of 
the  deductive  procedure  in  Figure  6.21. 

Unfortunately,  Figure  6.22  is  not  quite  the  same  as  Pfenning’s  ordered  abstract  machine  for 
addition  in  [Pfel2d],  but  the  difference  is  rather  minor.  In  Pfenning’s  version  of  addition,  the 
rule  we  call  plus/carry  in  Figure  6.22  does  not  generate  the  conclusion  contappendO.  Instead, 
that  frame  is  generated  earlier  by  the  rule  we  called  plus/bll,  which  in  Pfenning’s  formulation 
is  VM.  ViV.  plus  (c  M  bl)  (c  N  bl)  >— >  {plus  M N  •  cont  carry  •  cont  appendO}. 

Relating  specifications  that  differ  only  in  the  order  with  which  certain  continuation  frames 
are  generated  seems  to  be  a  pervasive  pattern.  For  example,  Ian  Zerny  observed  a  very  similar 
phenomenon  when  using  operationalization  to  replay  the  correspondence  between  natural  se¬ 
mantics  and  abstract  machines  presented  in  [DMMZ12].  Characterizing  this  observation  more 
precisely  is  left  for  future  work. 

6.6.2  Operationalizing  SOS  specifications 

We  have  thus  far  considered  big-step  operational  semantics  and  abstract  machines,  mostly  ne¬ 
glecting  another  great  tradition  in  operational  semantics,  structural  operational  semantics  (SOS) 
specifications  [Plo04],  though  we  did  define  the  small-step  judgment  re  i— >  e/n  =  step  ren  re/n 
for  call-by-value  evaluation  in  the  beginning  of  this  chapter.  The  SOS  specification  from  that 
discussion  is  encoded  as  an  SLS  specification  in  Figure  6.23.  The  figure  also  defines  the  judg¬ 
ment  re1  >—>*  vn  =  evsos  ren  rt>n  that  implements  big-step  evaluation  in  terms  of  the  small-step 
SOS  specification. 
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eval_sos :  exp  ->  prop  ord. 
retn_sos :  exp  ->  prop  ord. 

evsos/steps:  eval_sos  E  *  ! step  E  E'  >->  {eval_sos  E'  }  . 
evsos/value:  eval_sos  V  *  lvalue  V  >->  {retn_sos  V}. 

Figure  6.24:  The  operationalization  of  evsos  from  Figure  6.23 


There  are  several  ways  that  we  can  contemplate  operationalizing  the  SOS  specification  in 
Figure  6.23.  If  we  operationalize  only  the  evsos  predicate,  making  the  evaluation  predicate 
evaLsos  and  the  return  predicate  retn_sos,  then  we  get  what  may  be  the  most  boring  possible  sub- 
structural  operational  semantics  specification,  shown  in  Figure  6.24.  The  specification  is  fully 
tail-recursive  and  there  are  no  continuation  frames,  just  an  expression  transitioning  according  to 
the  rules  of  the  small- step  evaluation  relation  for  an  indefinite  number  of  steps  as  we  extend  the 
trace.  While  the  specification  is  almost  trivial,  it  still  captures  something  of  the  essence  of  an 
SSOS  specification  -  atomic  transitions  are  interpreted  as  steps  (by  way  the  inductively-defined 
relation  step  ren  ren)  and  potentially  nonterminating  or  failing  computations  are  interpreted  as 
traces.  This  specification  is  also  the  first  case  where  we  have  performed  operationalization  on 
only  part  of  a  specification.  In  the  terminology  of  Section  6.1.1,  Figure  6.24  implies  that  the 
rules  value/lam,  step/appl,  step/app2,  and  step/appred  have  been  assigned  to  the  category  D 
of  rules  that  remain  in  the  deductive  fragment  while  the  rules  evsos/steps  and  evsos/value  were 
assigned  to  the  category  C  of  rules  that  end  up  being  transformed. 

In  the  other  direction,  we  can  consider  operationalizing  only  the  predicate  step,  which  im¬ 
plies  that  the  rules  value/lam,  and  evsos/steps  and  evsos/value  to  the  category  D  and  placing 
step/appl,  step/app2,  and  step/appred  in  the  category  C  of  rules  that  end  up  being  transformed 
into  the  concurrent  fragment.  The  result  of  this  transformation  is  shown  in  Figure  6.25.  The  first 
subgoal  of  ev/steps,  the  proposition  !(decomp  E  >— >  {plug  E'}),  is  the  first  time  we  have  actually 
encountered  the  effect  of  the  operation  discussed  in  Section  6.1.2. 

Instead  of  eval,  we  have  decomp  in  Figure  6.25,  since  the  relevant  action  is  to  decompose 
the  expression  looking  for  an  applicable  /3-reduction,  and  instead  of  retn  we  have  plug,  since  the 
relevant  action  is  to  plug  the  reduced  expression  back  into  the  larger  term.  When  we  operational¬ 
ized  natural  semantics,  the  structure  of  the  suspended  cont  /  propositions  was  analogous  to  the 
control  stacks  k  of  abstract  machine  specifications.  In  our  operationalized  SOS  specification,  the 
structure  of  the  cont  /  propositions  is  analogous  to  evaluation  contexts ,  often  written  as  E\\. 

£[]  ::=  E{\  e  |  v  £[]  |  [] 

The  names  decomp  and  plug  are  taken  from  the  treatment  of  evaluation  contexts  in  the  functional 
correspondence  [Dan08]. 

As  we  foreshadowed  in  Section  6.4.3,  the  right  computational  interpretation  of  Figure  6.25 
is  not  committed-choice  forward  chaining;  the  concurrent  rules  we  generate  can  get  stuck  with¬ 
out  states  being  stuck,  and  factoring  does  not  seem  to  provide  a  way  out.  Consider  terms  of 
type  eval  r(Ax.x)  e1  >— >•  {retn  r(Ax.x)  en}  where  eH-e'  and  consequently  @{a::(eval  ren)} 
@{y:(retn  re'n)}.  It  is  entirely  possible  to  use  rule  step/appl  to  derive  the  following: 

(xi:(eval  r(Ax.a;)  en})  ^  (^(eval  rAx.a;n),  ?/2: (cont  (apl  ren)))  -/> 
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decomp:  exp  ->  prop  ord. 
plug:  exp  ->  prop  ord. 

#|  Reduction  rules  |# 

step/appred:  decomp  (app  (lam  \x.  E  x)  V)  *  lvalue  V 
>->  {plug  (E  V) } . 

# |  Decomposing  a  term  into  an  evaluation  context  | # 
step/appl:  decomp  (app  El  E2) 

>->  {decomp  El  *  cont  (apl  E2) }. 
step/app2 :  decomp  (app  VI  E2)  *  lvalue  VI 

>->  {decomp  E2  *  cont  (ap2  VI)}. 

# |  Reconstituting  a  term  from  an  evaluation  context  | # 
step/appl/1:  plug  El'  *  cont  (apl  E2) 

>->  {plug  (app  El'  E2)}. 
step/app2/l:  plug  E2'  *  cont  (ap2  El) 

>->  {plug  (app  El  E2')}. 


#mode  evsos  +  -. 

evsos :  exp  ->  exp  ->  prop. 

evsos/steps:  evsos  E  V 

<-  (decomp  E  >->  {plug  E' }) 

<-  evsos  E'  V. 

evsos/value:  evsos  V  V  <-  value  V. 

Figure  6.25:  This  transformation  of  Figure  6.23  evokes  an  evaluation  context  semantics 


While  stuck  states  in  abstract  machines  raised  alarm  bells  about  language  safety,  the  stuck  state 
above  is  not  a  concern  -  we  merely  should  have  applied  rule  step/app2  to  x\  instead  of  rule 
step/appl.  This  corresponds  to  the  fact  that  small-step  SOS  specifications  and  specifications 
that  use  evaluation  contexts  map  most  naturally  to  the  backtracking  search  behavior  generally 
associated  with  backward  chaining. 


6.6.3  Partial  evaluation  in  A° 

As  a  final  example,  we  present  two  SLS  specifications  of  Davies’  A°  a  logically-motivated  type 
system  and  natural  semantics  for  partial  evaluation  [Dav96].  Partial  evaluation  is  not  a  modular 
language  extension,  either  on  paper  or  in  SLS.  On  paper,  we  have  to  generalize  the  judgment 
e  1/  v  to  have  free  variables;  we  write  e  /Ur  v  where  T  contains  free  expression  variables. 

ei  1/^  Xx.e  e2  JJ-w  v2  [v2/x\e  1/^  v 
Xx.e  1/^  Xx.e  e\  e2  JJ^  v 
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#mode  fvar  -. 
fvar:  exp  ->  prop. 


#mode  evn  +  +  - . 

evn :  nat  ->  exp  ->  exp  ->  prop. 


evn/var : 
evn/lam : 

evn/ app : 


evn  N  X  X  <-  fvar  X. 

evn  N  (lam  \x.  E  x)  (lam  \x.  E'  x) 

<-  (All  x.  fvar  x  ->  evn  N  (E  x)  (E'  x) ) . 
evn  N  (app  El  E2)  (app  El'  E2' ) 

<-  evn  N  El  El' 

<-  evn  N  E2  E2' . 


Figure  6.26:  Semantics  of  partial  evaluation  for  A°  (lambda  calculus  fragment) 


In  SLS,  this  does  not  actually  require  us  to  change  the  judgment  ever:  from  Figure  6.1,  since 
the  specification  itself  does  not  specify  the  context  of  LF.  However,  A°  also  requires  a  separate 
judgment  e  JJ/f;  e!  for  partially  evaluating  expressions  that  will  be  fully  evaluated  not  now  but  n 
partial  evaluation  stages  in  the  future.  On  the  fragment  of  the  logic  that  deals  with  functions  and 
applications,  this  judgment  does  nothing  but  induct  over  the  structure  of  expressions: 

Igf  e  ^,3;  e'  ei  -0-1  ej  e2  ej 
X  x  Xx.e  Xx.e'  e\  e2  -1/^  ej  ej 


Note  that  the  partial  evaluation  rule  for  Xx.e  extends  the  variable  context  'If  The  SLS  encoding 
of  the  judgment  e  e'  is  given  in  Figure  6.26,  which  also  introduces  an  auxiliary  fvar  judgment 
that  tracks  all  the  variables  in  T. 

The  evaluation  judgment  e  v  and  the  partial  evaluation  judgment  e  /l/,  e'  only  interact  in 
A°  through  the  temporal  fragment,  which  mediates  between  the  two  judgments  by  way  of  two 
expressions.  The  first,  next  e,  says  that  the  enclosed  expression  e  should  be  evaluated  one  time 
step  later  than  the  surrounding  expression.  The  second,  prev  e,  says  that  the  enclosed  expression 
should  be  evaluated  one  time  step  before  the  surrounding  expression.  When  we  evaluate  prev  e 
at  time  1  it  is  necessary  that  e  evaluates  to  nexte',  as  prev  (nexte')  at  time  step  1  will  reduce  to 


e! . 


e 


e  1/ 


next  e  -IJ.^  next  e!  next  e  next  e 


e  next  e! 
prev  e  e'  prev  e  l/'j"1"2  prev  e' 


This  natural  semantics  specification  is  represented  on  the  left-hand  side  of  Figure  6.27.  Due 
to  the  structure  of  the  evn /lam  rule,  we  cannot  operationalize  the  evn  predicate:  it  does  not  have 
the  structure  of  a  C  proposition  as  described  in  Section  6.1.1.  Rule  evn/lam  does,  however,  have 
the  structure  of  a  D  proposition  if  we  assign  evn  to  the  class  of  predicates  that  are  not  operational¬ 
ized.  Therefore,  it  is  possible  to  operationalize  the  ev  predicate  without  operationalizing  the  evn 
predicate.  This  leaves  the  rules  in  Figure  6.26  completely  unchanged;  the  right-hand  side  of 
Figure  6.27  contains  the  transformed  temporal  fragment,  where  evn / next  and  evn /prev  rules  are 
similarly  unchanged.  The  ev/next  rule,  however,  contains  a  subgoal  levn  (sz)  E  V  which  uses  a 
deductive  derivation  to  build  a  concurrent  step.  Conversely,  the  ev/prev  rule  contains  a  subgoal 
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ev/next : 

ev  (next  E)  (next  E' ) 

<-  evn  ( s  z )  E  E'  . 

evn/next : 

evn  N  (next  E)  (next  E' ) 

<-  evn  (s  N)  EE'. 

ev/prev : 

evn  (s  z)  (prev  E)  E' 

<-  ev  E  (next  E' ) . 

evn/prev : 

evn  (s  (s  N) )  (prev  E)  (prev  E' ) 
<-  evn  (s  N)  EE'. 


ev/ next : 

eval  (next  E)  *  !  evn  (s  z)  E  E' 

>->  {retn  (next  E' ) } . 

evn/next : 

evn  N  (next  E)  (next  E' ) 

<-  evn  (s  N)  EE'. 

ev/ prev : 

evn  (s  z)  (prev  E)  E' 

<-  (eval  E  >->  {retn  (next  E' ) } ) . 

evn/prev : 

evn  (s  (s  N) )  (prev  E)  (prev  E' ) 

<-  evn  (s  N)  EE'. 


Figure  6.27:  Semantics  for  A°  (temporal  fragment) 


of  eval  E  >— ►  (retn  (next  (7)}  that  uses  a  concurrent  derivation  to  create  a  deductive  derivation. 
This  makes  the  right-hand  side  of  Figure  6.27  the  only  SLS  specification  in  this  dissertation  that 
exhibits  an  arbitrarily  nested  dependency  between  concurrent  and  deductive  reasoning. 

The  natural  semantics  of  A°  are  not,  on  a  superficial  level,  significantly  more  complex  than 
other  natural  semantics.  It  turns  out,  though,  that  the  usual  set  of  techniques  for  adding  state 
to  a  operational  semantics  break  down  for  A°.  Discussing  a  A°-like  logic  with  state  remained 
a  challenge  for  many  years,  though  a  full  solution  has  recently  been  given  by  Kameyama  et 
al.  using  delimited  control  operators  [KKS11].  Our  discussion  of  operationalization  gives  a 
perspective  on  why  this  task  is  difficult,  as  the  specification  is  far  outside  of  the  image  of  the 
extended  natural  semantics  we  considered  in  Section  6.5.5.  We  normally  add  state  to  ordered 
abstract  machine  specifications  by  manipulating  and  extending  the  set  of  ambient  linear  and 
persistent  resources.  If  we  tried  to  add  state  to  A°  the  same  way  we  added  it  in  Section  6.5.1, 
the  entire  store  would  effectively  leave  scope  whenever  computation  considered  the  subterm  e  of 
next  e. 

I  conjecture  that  the  nominal  generalization  of  ordered  linear  lax  logic  alluded  to  in  the  dis¬ 
cussion  of  locations  and  existential  name  generation  (Section  6.5.1)  could  support  operational¬ 
izing  predicates  like  evn  nee'.  This  might,  in  turn,  make  it  possible  to  add  state  to  an  SSOS 
specification  of  A°,  but  that  is  left  for  future  work. 
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Chapter  7 

Destination-passing 


The  natural  notion  of  ordering  provided  by  ordered  linear  logic  is  quite  convenient  for  encoding 
evolving  systems  that  perform  local  manipulations  to  a  stack-like  structure.  This  was  demon¬ 
strated  by  the  push-down  automaton  for  generic  bracket  matching  discussed  in  the  introduction. 
We  can  now  present  that  specification  in  Figure  7.1  as  an  SLS  specification. 

hd:  prop  ord. 
left:  tok  ->  prop  ord. 
right:  tok  ->  prop  ord. 
stack:  tok  ->  prop  ord. 

push:  hd  *  left  X  >->  {stack  X  *  hd} . 
pop:  stack  X  *  hd  *  right  X  >->  {hd} . 

Figure  7.1:  Ordered  SLS  specification  of  a  PDA  for  parenthesis  matching 

Tree  structures  were  reasonably  straightforward  to  encode  in  the  ordered  context  as  well,  as  we 
saw  from  the  SSOS  specification  for  parallel  pairs  in  Chapter  6. 

At  some  point,  however,  the  simple  data  structures  that  can  be  naturally  encoded  in  an  ordered 
context  become  too  limiting.  When  we  reach  this  point,  we  turn  to  destinations,  which  allow  us 
to  glue  control  flow  together  in  much  more  flexible  ways.  Destinations  (terms  of  type  dest)  are  a 
bit  like  the  locations  l  introduced  in  the  specification  of  mutable  storage  in  Section  6.5.1.  They 
have  no  constructors:  they  are  only  introduced  as  variables  by  existential  quantification,  which 
means  they  can  freely  be  subject  to  unification  when  the  conclusion  of  a  rule  declares  them  to  be 
equal  (as  described  in  Section  4.2).  Destinations  allow  us  to  encode  very  expressive  structures 
in  the  linear  context  of  SLS.  Instead  of  using  order  to  capture  the  local  relationships  between 
different  propositions,  we  use  destinations. 

Linear  logic  alone  is  able  to  express  any  (flat,  concurrent)  specifications  that  can  be  expressed 
using  ordered  atomic  propositions.  In  other  words,  we  did  not  ever  need  order,  it  was  just  a  more 
pleasant  way  to  capture  simple  control  structures.  We  will  demonstrate  that  fact  in  this  chap¬ 
ter  by  describing  a  transformation,  destination- adding,  from  specifications  with  ordered  atomic 
propositions  to  specifications  that  only  include  linear  and  persistent  atomic  propositions.  This 
destination-adding  transformation,  which  we  originally  presented  in  [SPlla],  turns  all  ordered 
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atomic  propositions  into  linear  atomic  propositions  and  tags  them  with  two  new  arguments  (the 
destinations  of  the  destination-adding  transformation).  These  extra  destinations  serve  as  a  link 
between  a  formerly-ordered  atomic  proposition  and  its  two  former  neighbors  in  the  ordered  con¬ 
text.  When  we  perform  the  destination-adding  transformation  on  the  specification  in  Figure  7.1, 
we  get  the  specification  in  Figure  7.2. 

hd:  dest  ->  dest  ->  prop  lin. 
left:  tok  ->  dest  ->  dest  ->  prop  lin. 
right:  tok  ->  dest  ->  dest  ->  prop  lin. 
stack:  tok  ->  dest  ->  dest  ->  prop  lin. 


push:  hd  L  M  *  left  X  M  R  >-> 
pop:  stack  X  L  Ml  *  hd  Ml  M2 


{Exists  m.  stack  X  L  m  * 
*  right  X  M2  R  >->  {hd  L 


hd  m  R} . 
R}  • 


Figure  7.2:  Linear  SLS  specification  of  a  PDA  for  parenthesis  matching 

The  specification  in  Figure  7.2,  like  every  other  specification  that  results  from  destination¬ 
adding,  has  no  occurrences  of  \.A~  (the  transformation  has  not  been  adapted  to  nested  rules) 
and  no  ordered  atomic  propositions  (these  are  specifically  removed  by  the  transformation).  As 
a  result,  we  write  hd  L  M  instead  of  $hd  L  M,  omitting  the  optional  linearity  indicator  $  on 
the  linear  atomic  propositions  as  discussed  in  Section  4.5.  Additionally,  by  the  discussion  in 
Section  3.7,  we  would  be  justified  in  viewing  this  specification  as  a  linear  logical  specification 
(or  a  CLF  specification)  instead  of  a  ordered  logical  specification  in  SLS.  This  would  not  impact 
the  structure  of  the  derivations  significantly;  essentially,  it  just  means  that  we  would  write  Af  — o 
{A% }  instead  of  A±  >— >  {A%  }.  This  reinterpretation  was  used  in  [SP1  la],  but  we  will  stick  with 
the  notation  of  ordered  logic  for  consistency,  while  recognizing  that  there  is  nothing  ordered 
about  specifications  like  the  one  in  Figure  7.2. 

When  the  destination-adding  translation  is  applied  to  ordered  abstract  machine  SSOS  spec¬ 
ifications,  the  result  is  a  style  of  SSOS  specification  called  destination-passing.  Destination¬ 
passing  specifications  were  the  original  style  of  SSOS  specification  proposed  in  the  CLF  tech¬ 
nical  reports  [CPWW02].  Whereas  the  operationalization  transformation  exposed  the  structure 
of  natural  semantics  proofs  so  that  they  could  be  modularly  extended  with  stateful  features,  the 
destination-adding  translation  exposes  the  control  structure  of  specifications,  allowing  the  lan¬ 
guage  to  be  modularly  extended  with  control  effects  and  effects  like  synchronization. 


7.1  Logical  transformation:  destination-adding 

The  translation  we  define  operates  on  rules  the  form  \fx.S i  >— *■  { S2 } ,  where  Si  must  contain  at 
least  one  ordered  atomic  proposition.  The  syntactic  category  S  is  a  refinement  of  the  positive 
types  A+  defined  by  the  following  grammar: 

S  ■■■■=  Ppers  I  P%h  I  P+  !  1  I  t  =  S  I  S1  *  S2  |  3 X'.T.S 

The  translation  of  a  rule  \/x.S\  ^  {S2}  is  then  \/x.WdL:dest.WdR:dest.  [Si]^  >— ►  {[S2]^}, 
where  [S]^  is  defined  in  Figure  7.3.  It  is  also  necessary  to  transform  all  ordered  predicates  with 
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\j)+fdR  =  a  ti . . .  tn  dL  dR  (where  p+  =  at1...tn) 
btphldn  =  P%h  •dL  =  dR 

\PpersfdR  =  P^ers  #  dL  =  dR 

I1!  dLR  =  dL  =  dR 
ft  =  =  t  =  s»dL  =  dR 

[Si  •  S2}^  =  3dM:dest. 

P xvr.S\%  :=  3x:r.  [S]& 

Figure  7.3:  Destination- adding  transformation 

kind  Yl.xi.Ti . . .  I  \.xn  :rn.  propord  that  are  declared  in  the  signature  into  predicates  with  kind 
n.xi:ri . . .  II .xn:rn.  dest  — >  dest  — >  prop  ord  in  order  for  the  translation  of  an  ordered  atomic 
proposition  p+  to  remain  well-formed  in  the  transformed  signature. 

The  destination-adding  translation  presented  here  is  the  same  as  the  one  presented  in  [SP1  la], 
except  that  the  transformation  operated  on  rules  of  the  form  Vx.Si  -»  {.S'2}  and  ours  will  operate 
over  rules  of  the  form  Vx.Si  >—>  { S2 } . 1  As  discussed  in  Section  6.2.2,  the  difference  between 
-»  and  >— >  is  irrelevant  in  this  situation.  The  restriction  to  flat  specifications,  on  the  other  hand, 
is  an  actual  limitation.  We  conjecture  that  the  translation  presented  here,  and  the  correctness 
proof  presented  in  [SPlla],  would  extend  to  nested  SLS  specifications.  However,  the  detailed 
correctness  proofs  in  that  work  are  already  quite  tedious  (though  our  explicit  notation  for  patterns 
as  partial  derivations  can  simplify  the  proof  somewhat)  and  the  limited  transformation  described 
by  Figure  7.3  is  sufficient  for  our  purposes.  Therefore,  we  will  rely  on  the  existing  result,  leaving 
the  correctness  of  a  more  general  development  for  future  work. 

According  to  Figure  7.3,  the  rule  pop  in  Figure  7.2  should  actually  be  written  as  follows: 

pop  :  Vx:tok.  VFdest.  Vr:dest. 

(3mi:dest.  stackx  l  mi  •  (Snidest,  hd  m\  m2  •  right  xm2  r)) 

(hd  l  r } 

The  destination-adding  transformation  as  implemented  produces  rules  that  are  equivalent  to  the 
specification  in  Figure  7.3  but  that  avoid  unnecessary  equalities  and  push  existential  quantifiers  as 
far  out  as  possible  (which  includes  turning  existential  quantifiers  (3x.  A+)  B~  into  universal 
quantifiers  Vx.  A+  B~).  The  result  is  a  specification,  equivalent  at  the  level  of  synthetic 
transitions,  that  looks  like  the  one  in  Figure  7.2.  We  write  the  result  of  the  destination-adding 
transformation  on  the  signature  £  as  Dest(YA). 

We  can  consider  a  further  simplification:  is  it  necessary  to  generate  a  new  destination  m  by 
existential  quantification  in  the  head  3m.  stackx/m  •  hd  mr  of  push  in  Figure  7.2?  There  is 

'The  monad  {S2}  did  not  actually  appear  in  [SPlla],  and  the  presentation  took  polarity  into  account  but  was 
not  explicitly  polarized.  We  are  justified  in  reading  the  lax  modality  back  in  by  the  erasure  arguments  discussed  in 
Section  3.7. 
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already  a  destination  m  mentioned  in  the  head  that  will  be  unused  in  the  conclusion.  It  would, 
in  fact,  be  possible  to  avoid  generating  new  destinations  in  the  transformation  of  rules  Vx.  S\  >— > 
{S2}  where  the  head  So  contains  no  more  ordered  atomic  propositions  than  the  premise  Si. 

We  don’t  perform  this  simplification  for  a  number  of  reasons.  First  and  foremost,  the  transfor¬ 
mation  described  in  Figure  7.3  more  closely  follows  the  previous  work  by  Morrill,  Moot,  Piazza, 
and  van  Benthem  discussed  in  Section  5.2,  and  using  the  transformation  as  given  simplifies  the 
correctness  proof  (Theorem  7.1).  Pragmatically,  the  additional  existential  quantifiers  also  give 
us  more  structure  to  work  with  when  considering  program  abstraction  in  Chapter  8.  Finally,  if 
we  apply  both  the  transformation  in  Figure  7.3  and  a  transformation  that  reuses  destinations  to 
an  ordered  abstract  machine  SSOS  specification,  the  former  transformation  produces  results  that 
are  more  in  line  with  existing  destination-passing  SSOS  specifications. 

To  prove  the  correctness  of  destination-adding,  we  must  describe  a  translation  [\F;  A]  from 
process  states  with  ordered,  linear,  and  persistent  atomic  propositions  to  ones  with  only  linear 
and  persistent  atomic  propositions: 


[^;-]  =  ('Me dest;  -) 

[['F;  A,x:(afi . .  ,tn)  ordj  =  (\F',  eldest,  eldest;  A',  x:(a  ti ...  tn  dL  dR)) 

(where  a  is  ordered  and  [\F;  A]  =  (\F',  eldest ;  A')) 
[\F;  A,  x:S  ordj  =  (VF/,  eldest,  eldest;  A',  ord) 

(where  a  is  ordered  and  [\F;  A]  =  (S>\dL\ dest;  A')) 
['F;  A ,x:{p+ph)  ephj  =  ('F';  A',  x:(p+ph)) 

(where  [\F;  A]  =  (\F';  A')) 
tt^;A ,x:(p+ers)  persj  =  (tf';  A',  x:(p+ers)) 

(where  [VF;  A]  =  (\F';  A')) 

Theorem  7.1  (Correctness  of  destination-adding). 

['F;  A]  ~~>Dest(r.)  ('F«;A/)  if  and  only  if  (^;  A)  ('FoSAo)  and  (^/;AZ)  =  |[\F0,  'F//;  Ac] 
for  some  variable  context  'F//  containing  destinations  free  in  the  translation  of  A  but  not  in  the 
translation  of  A a. 

Proof.  This  proof  is  given  in  detail  in  [SPlla,  Appendix  A].  It  involves  a  great  deal  of  tedious 
tracking  of  destinations,  but  the  intuition  behind  that  tedious  development  is  reasonably  straight¬ 
forward. 

First,  we  need  to  prove  that  a  right-focused  proof  of  'F;  A  [5]  implies  that  there  is  an 
analogous  proof  of  ['F;  A]  SDest{E)  [[S']^].  Conversely,  if  we  can  prove  'F;  A  \~Dest{ s)  [{SjddLR] 
in  right  focus  under  then  linear  translation,  then  it  is  possible  to  reconstruct  an  ordered  context 
\F';  A'  such  that  ['F';  A']  =  T;  A  and  \F';  A'  [S']  by  threading  together  the  destinations  from 
g?l  to  d[{  in  A.  Both  directions  are  established  by  structural  induction  on  the  given  derivation. 
The  critical  property  is  that  it  is  possible  to  reconstruct  the  ordered  context  from  the  context  of 
any  right-focus  sequent  that  arises  during  translation.  Proving  that  property  is  where  the  flat 
structure  of  rules  is  particularly  helpful;  the  use  of  positive  atomic  propositions  comes  in  handy 
too  [SPlla,  Lemma  1]. 
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eval :  exp  ->  dest  ->  dest  ->  prop  lin. 
retn:  exp  ->  dest  ->  dest  ->  prop  lin. 
cont :  frame  ->  dest  ->  dest  ->  prop  lin. 


ev/lam: 

eval 

(lam  \x. 

E  x 

)  D' 

A 

1 

A 

Q 

{retn  (lam 

\x.  E  x) 

D' 

D}  . 

ev/app : 

eval 

(app  El 

E2 )  D'  D 

>-> 

{ Exists 

dl . 

eval 

El  D' 

dl  * 

cont 

(appl  E2) 

dl 

D}  . 

ev/appl : 

retn 

(lam  \x. 

E  x 

)  D' 

Dl  * 

cont 

(appl 

E2 )  Dl  D 

>-> 

{ Exists 

d2  . 

eval 

E2  D' 

d2  * 

cont 

(app2  \x. 

E 

x)  d2 

ev/app2 : 

retn 

CM 

Q 

Q 

CM 

> 

*  cont 

(app  2 

\  x .  E 

x)  D2 

D 

>-> 

{eval  (E 

Q 

CM 

> 

D}  . 

Figure  7.4:  Translation  of  Figure  6.6  with  vestigial  destinations 


Second,  we  need  to  prove  that  patterns  can  be  translated  in  both  directions:  that  if  (4t  A)  =>■ 
(T';  A0)  under  the  original  signature  then  P  ::  f4t  A]  =>•  [[4b;  A0]  under  the  translated  signa¬ 
ture  [SPlla,  Lemma  4],  and  that  if  P  ::  [\P;  A]  ==>•  (4b;  A*)  then  there  exists  A0  such  that 
(4b;  A0)  =  [4b;  A"]  [SPlla,  Lemma  5].  Both  directions  are  again  by  induction  over  the  struc¬ 
ture  of  the  given  pattern. 

The  theorem  then  follows  directly  from  these  two  lemmas.  There  is  a  trivial  induction  on 
spines  to  handle  the  sequence  of  quantifiers,  but  the  core  of  a  flat  rule  is  a  proposition  S±  >— >  { S2  } 
-  we  reconstruct  the  ordered  context  from  the  value  used  to  prove  S4,  and  then  begin  inverting 
with  the  positive  proposition  S2  in  the  context.  □ 


If  we  leave  off  explicitly  mentioning  the  variable  context  4q  then  the  trace  that  represents 
successfully  processing  the  string  [  ( )  ]  with  the  transformed  push-down  automaton  specification 
in  Figure  7.2  is  as  follows  (we  again  underline  hd  for  emphasis): 

y0:  (hd  d0di),  xx :  (left  sq  d1  d2) ,  x2: (left  pa  d2  d3),  x3:  (right  pa  d3  d4),  x4:  (right  sq  d4  d5) 
z\. (stack sq  d0  d6),yi:(hdd6  d2),x2:(\eh  pa  d2  d3),  x3: (right  pa  d3  d4),  x4. (right  sq  d4d5) 
z4:  (stack  sq  d0  d6) ,  z2:  (stack  pa  d6  d7),  y2 : ( hd  d7  d3) ,  x3\ (right  pa  d3  d4) ,  x4:  (right  sq  d4  d5) 
z4:  (stack  sq  d0  d6) ,  y3: (hd  d6  d4) ,  x4:  (right  sq  d4  d5) 

^  y4'(Md0d5) 


One  reason  for  leaving  off  the  variable  context  4'  in  this  example  is  that  by  the  end  it  contains  the 
LF  variables  d4,  d2,  d3,  d4,  d5,  dfn  and  d7,  none  of  which  are  actually  present  in  the  substructural 
context  7/4:(hd  d0  d5).  We  can  informally  think  of  these  destinations  as  having  been  “garbage 
collected,”  but  this  notion  is  not  supported  by  the  formal  system  we  described  in  Chapter  4. 
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eval :  exp  ->  dest  ->  prop  lin. 
retn:  exp  ->  dest  ->  prop  lin. 
cont :  frame  ->  dest  ->  dest  ->  prop  lin. 

ev/lam:  eval  (lam  \x.  E  x)  D  >->  {retn  (lam  \x.  Ex)  D}. 

ev/app:  eval  (app  El  E2)  D 

>->  {Exists  dl .  eval  El  dl  *  cont  (appl  E2)  dl  D}. 

ev/appl :  retn  (lam  \x.  Ex)  Dl  *  cont  (appl  E2)  Dl  D 

>->  {Exists  d2 .  eval  E2  d2  *  cont  (app2  \x.  Ex)  d2  D } . 

ev/app2 :  retn  V2  D2  *  cont  (app2  \x.  Ex)  D2  D 

>->  {eval  (E  V2 )  D} . 

Figure  7.5:  Translation  of  Figure  6.6  without  vestigial  destinations 

7.1.1  Vestigial  destinations 

When  we  apply  the  translation  of  expressions  to  the  call-by-value  lambda  calculus  specification 
from  Figure  6.6,  we  get  the  specification  in  Figure  7.4.  Because  eval  and  retn  are  always  unique 
and  always  appear  at  the  leftmost  end  of  this  substructural  context,  this  specification  has  a  quirk: 
the  second  argument  to  eval  and  retn  is  always  d' ,  and  the  destination  never  changes;  it  is  es¬ 
sentially  a  vestige  of  the  destination-adding  transformation.  As  long  as  we  are  transforming  a 
sequential  ordered  abstract  machine,  we  can  eliminate  this  vestigial  destination,  giving  us  the 
specification  in  Figure  7.5.  This  extra  destination  is  not  vestigial  when  we  translate  a  parallel 
specification,  but  as  we  discuss  in  Section  7.2.1,  we  don’t  necessarily  want  to  apply  destination¬ 
adding  to  parallel  ordered  abstract  machines  anyway. 

7.1.2  Persistent  destination  passing 

When  we  translate  our  PDA  specification,  it  is  actually  not  necessary  to  translate  hd,  left,  right 
and  stack  as  linear  atomic  propositions.  If  we  translate  hd  as  a  linear  predicate  but  translate  the 
other  predicates  as  persistent  predicates,  it  will  still  be  the  case  that  there  is  always  exactly  one 
linear  atomic  proposition  hd  di,  dR  in  the  context,  at  most  one  stack  xddL  proposition  with  the 
same  destination  dL,  and  at  most  one  right  xdRd  or  left  x  dR  d  with  the  same  destination  dR. 
This  means  it  is  still  the  case  that  the  PDA  accepts  the  string  if  and  only  if  there  is  the  following 
series  of  transitions: 


(x:(hdd0d1),y1:(\ehx1d1d2),. .  .,yn:{r\ghtxndndn+1))  *  (r,  z:(hd  d0  dn+l)) 


Unlike  the  entirely-linear  PDA  specification,  the  final  state  may  include  some  additional  per¬ 
sistent  propositions,  represented  by  T.  Specifically,  the  final  state  contains  all  the  original 
left  x  di  di+ 1  and  right  x  di  d>+]  propositions  along  with  all  the  stack  xdd'  propositions  that  were 
created  during  the  course  of  evaluation. 
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I  originally  conjectured  that  a  version  of  Theorem  7.1  would  hold  in  any  specification  that 
turned  some  ordered  atomic  propositions  linear  and  others  persistent  just  as  long  as  at  least  one 
atomic  proposition  in  the  premise  of  every  rule  remained  linear  after  transformation.  This  would 
have  given  a  generic  justification  for  turning  left,  right  and  stack  persistent  in  Figure  7.2  and 
to  turning  cont  persistent  in  Figure  7.5.  However,  that  condition  is  not  strong  enough.  To  see 
why,  consider  a  signature  with  one  rule,  a  •  b  •  a  >— ►  { b},  where  a  and  b  are  ordered  atomic 
propositions.  We  can  construct  the  following  trace: 


(xi:(a),x2:(b),x3:(a),x4:(b),x5:(a))  (x:(b),x4:(b),x5:(a))  ? U 

From  the  same  starting  point,  exactly  one  other  trace  is  possible: 

(xi:(a), x2:(b), x3:(a), x4:(b), x5:(a))  (xi:(a),x2:(b),x:(b))  -/> 

However,  if  we  perform  the  destination-passing  transformation,  letting  a  dd!  be  a  persistent 
atomic  proposition  and  letting  b  d  d!  be  a  linear  atomic  proposition,  then  we  have  a  series  of 
transitions  in  the  transformed  specification  that  can  reuse  the  atomic  proposition  a  d2  d3  in  a  way 
that  doesn’t  correspond  to  any  series  of  transitions  in  ordered  logic: 

xi:(a  d0  d\)  pers,  x2:(bd\  d2)  eph,  £3:  (a  d2  d3)  pers,  x4:(b  d3  d4)  eph,  x3: (a  d4  d5)  pers 
^  Xi:(a  d0  di)  pers,  x:(bd0d3)  eph,  x3:(a  d2  d3)  pers,  x4:(b  d3  d4)  eph,  x5:(a  d4  d5)  pers 
Xi:(a  d0  di)  pers,  x:(b  d0  d3)  eph,  x3:(a  d2  d3)  pers,x':(bd2  d5)  eph,  x5:(a  d4  d5)  pers 

In  the  first  process  state,  there  is  a  path  d0,  d3,  d2,  d3,  d4,  d5  through  the  context  that  reconstructs 
the  ordering  in  the  original  ordered  context.  In  the  second  process  state,  there  is  still  a  path 
d0,  d3,  d4,  d5  that  allows  us  to  reconstruct  the  ordered  context  (x:(b),  x4:(b),x5:(a))  by  ignoring 
the  persistent  propositions  associated  with  x\  and  x3.  However,  in  the  third  process  state  above, 
no  path  exists,  so  the  final  state  cannot  be  reconstructed  as  any  ordered  context. 

It  would  be  good  to  identify  a  condition  that  allowed  us  to  selectively  turn  some  ordered 
propositions  persistent  when  destination-adding  without  violating  (a  version  of)  Theorem  7.1. 
In  the  absence  of  such  a  generic  condition,  it  is  still  straightforward  to  see  that  performing 
destination-passing  and  then  turning  some  propositions  persistent  is  an  abstraction :  if  the  origi¬ 
nal  system  can  make  a  series  of  transitions,  the  transformed  system  can  simulate  those  transitions, 
but  the  reverse  may  not  be  true.  In  any  case,  we  can  observe  that,  for  many  of  systems  we  are 
interested  in,  a  partially-persistent  destination-passing  specification  can  only  make  transitions 
that  were  possible  in  the  ordered  specification.  The  push-down  automata  with  persistent  stack, 
left,  and  right  is  one  example  of  this,  and  we  can  similarly  make  the  cont  predicate  persistent  in 
SSOS  specifications  without  introducing  any  new  transitions.  Turing  the  cont  predicate  persis¬ 
tent  will  be  necessary  for  the  discussion  of  first-class  continuations  in  Section  7.2.4. 


7.2  Exploring  the  richer  fragment 

In  [SPlla],  we  were  interested  in  exact  logical  correspondence  between  ordered  abstract  ma¬ 
chine  SSOS  specifications  and  destination-passing  SSOS  specifications.  (Destination-adding  is 
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cont2 :  frame  - 

>  dest 

->  dest  ->  dest  ->  prop  lin. 

ev/ pair : 

eval 

(pair 

El  E2 )  D 

>-> 

{Exists  dl .  Exists 

d2  . 

eval 

El  dl  *  eval 

E2  d2  *  cont2  pairl 

dl 

ev/pairl : 

retn 

VI  Dl 

*  retn  V2  D2 

*  cont2  pairl  Dl  D2 

D 

>-> 

{ retn 

(pair  VI  V2) 

D}  . 

Figure  7.6:  Destination-passing  semantics  for  parallel  evaluation  of  pairs 


useful  in  that  context  because  it  exposes  information  about  the  control  structure  of  computations; 
this  control  structure  can  be  harnessed  by  the  program  abstraction  methodology  described  in 
Chapter  8  to  derive  program  analyses.)  In  keeping  with  our  broader  use  of  the  logical  correspon¬ 
dence,  this  section  will  cover  programming  language  features  that  are  not  easily  expressible  with 
ordered  abstract  machine  SSOS  specifications  but  that  can  be  easily  expressed  with  destination¬ 
passing  SSOS  specifications.  Consequently,  these  are  features  that  can  be  modularly  added  to 
(sequential)  ordered  abstract  machine  specifications  that  have  undergone  the  destination-adding 
transformation. 

The  semantics  of  parallelism  and  failure  presented  in  Section  7.2.1  are  new.  The  semantics 
of  futures  (Section  7.2.3)  and  synchronization  (Section  7.2.2)  are  based  on  the  specifications  first 
presented  in  the  CLF  tech  report  [CPWW02].  The  semantics  of  first-class  continuations  (Sec¬ 
tion  7.2.4)  were  presented  previously  in  [Pfe04,  PS09].  In  destination-passing  semantics,  when 
we  are  dealing  with  fine-grained  issues  of  control  flow,  the  interaction  of  programming  language 
features  becomes  more  delicate.  Parallel  evaluation,  recoverable  failure,  and  synchronization  are 
compatible  features,  as  are  synchronization  and  futures.  Failure  and  first-class  continuations  are 
also  compatible.  We  will  not  handle  other  interactions,  though  it  would  be  interesting  to  explore 
the  adaptation  of  Moreau  and  Ribbens’  abstract  machine  for  Scheme  with  parallel  evaluation  and 
callcc  as  a  substructural  operational  semantics  [MR96]. 

7.2.1  Alternative  semantics  for  parallelism  and  failure 

In  Section  6.5.4,  we  discussed  how  parallel  evaluation  and  recoverable  failure  can  be  combined 
in  an  ordered  abstract  machine  SSOS  specification.  Due  to  the  fact  that  the  two  parts  of  a  parallel 
ordered  abstract  machine  are  separated  by  an  arbitrary  amount  of  ordered  context,  some  poten¬ 
tially  desirable  ways  of  integrating  parallelism  and  failure  were  difficult  or  impossible  to  express, 
however. 

Once  we  transition  to  destination-passing  SSOS  specifications,  it  is  possible  to  give  a  more 
direct  semantics  to  parallel  evaluation  that  better  facilitates  talking  about  failure.  Instead  of  hav¬ 
ing  the  stack  frame  associated  with  parallel  pairs  be  cont  pairl  (as  in  Figure  6.8)  or  cont2  pairl  (as 
discussed  in  Section  6.5.4),  we  create  a  continuation  cont2  pairl  d\  d2  d  with  three  destinations; 
d\  and  d2  represent  the  return  destinations  for  the  two  subcomputations,  whereas  d  represents 
the  destination  to  which  the  evaluated  pair  is  to  be  returned.  This  strategy  applied  to  the  parallel 
evaluation  of  pairs  is  shown  in  Figure  7.6. 
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error:  dest  ->  prop  lin. 

handle:  exp  ->  dest  ->  dest  ->  prop  lin. 
terminate:  dest  ->  prop  lin. 

ev/fail:  eval  fail  D  >->  {error  D}. 

ev/error:  error  D'  *  cont  F  D'  D  >->  {error  D}. 

ev/errorL:  error  D1  *  cont2  F  D1  D2  D  >->  {error  D  *  terminate  D2 } . 

ev/errorR:  error  D2  *  cont2  F  D1  D2  D  >->  {error  D  *  terminate  Dl}. 

term/retn:  retn  V  D  *  terminate  D  >->  {one}.  ;  Returning  in  vain 

term/err:  error  D  *  terminate  D  >->  {one}.  ;  Failing  redundantly 

ev/catch:  eval  (catch  El  E2)  D 

>->  {Exists  d' .  eval  El  d'  *  handle  E2  d'  D}. 
ev/catcha:  retn  V  D'  *  handle  _  D'  D  >->  {retn  V  D}. 
ev/catchb:  error  D'  *  handle  E2  D'  D  >->  {eval  E2  D}. 

Figure  7.7:  Integration  of  parallelism  and  exceptions;  signals  failure  as  soon  as  possible 

In  ordered  specifications,  an  ordered  atomic  proposition  can  be  directly  connected  to  at  most 
two  other  ordered  propositions:  the  proposition  immediately  to  the  left  in  the  ordered  context, 
and  the  proposition  immediately  to  the  right  in  the  ordered  context.  What  Figure  7.6  demon¬ 
strates  is  that,  with  destinations,  a  linear  proposition  can  be  locally  connected  to  any  fixed  finite 
number  of  other  propositions.  (If  we  encode  lists  of  destinations,  this  need  not  even  be  fixed!) 
Whereas  in  ordered  abstract  machine  specifications  the  parallel  structure  of  a  computation  had 
to  be  reconstructed  by  parsing  the  context  in  postfix,  a  destination-passing  specification  uses 
destinations  to  thread  together  the  treelike  dependencies  in  the  context.  It  would  presumably 
be  possible  to  consider  a  different  version  of  parallel  operationalization  that  targeted  this  desir¬ 
able  form  of  parallel  destination-passing  specification  specifically,  but  we  will  not  present  such 
a  transformation  in  this  thesis. 

Using  destination-based  parallel  continuations,  we  give,  in  Figure  7.7,  a  semantics  for  recov¬ 
erable  failure  that  eagerly  returns  errors  from  either  branch  of  a  parallel  computation.  The  rules 
ev/errorL  and  ev/errorR  immediately  pass  on  errors  returned  to  a  frame  where  the  computation 
forked.  Those  two  rules  also  leave  behind  a  linear  proposition  terminate  d  that  will  abort  the  other 
branch  of  computation  if  it  returns  successfully  (rule  term / retn)  or  with  an  error  (rule  term /err). 
It  would  also  be  possible  to  add  rules  like  Vd.  Vd'.  cont  d!  d  •  terminate  d  ^  (terminate  d'}  that 
actively  abort  the  useless  branch  instead  of  passively  waiting  for  it  to  finish.  (In  a  language  with 
state,  this  can  make  an  observable  difference  in  the  results  of  computation.) 

7.2.2  Synchronization 

The  CLF  tech  report  gives  a  destination-passing  presentation  of  nearly  the  full  set  of  Concur¬ 
rent  ML  primitives,  omitting  only  negative  acknowledgements  [CPWW02].  We  will  present  an 
SLS  version  of  that  Concurrent  ML  specification  as  a  part  of  the  hybrid  specification  in  Ap¬ 
pendix  B.  In  Figure  7.8,  rather  than  reprising  that  specification,  we  present  an  extremely  simple 
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ev/chan:  eval  (chan  \c.  E  c)  D  >->  {Exists  c.  eval  (E  c)  D}. 

ev/send:  eval  (send  C  E)  Dsend 

>->  {Exists  d' .  eval  Ed'*  cont  (sendl  C)  d'  Dsend}. 

ev/sendl:  retn  V  D'  *  cont  (sendl  C)  D'  Dsend  *  eval  (recv  C)  Drecv 
>->  {retn  unit  Dsend  *  retn  V  Drecv}. 


Figure  7.8:  Semantics  of  simple  synchronization 


form  of  synchronous  communication. 

New  channels  are  created  by  evaluating  rchan  c.e"  =  chan  Ac.  ren,  which  introduces  a  new 
channel  (an  LF  term  of  the  type  channel  that  has  no  constructors)  and  substitutes  it  for  the  bound 
variable  c  in  e.  Synchronization  happens  when  there  is  both  a  send  send  ce  being  evaluated  in 
one  part  of  the  process  state  and  a  receive  recv  c  with  the  same  channel  being  evaluated  in  a 
different  part  of  the  process  state.  The  expression  e  will  first  evaluate  to  a  value  v  (rule  ev/send). 
Communication  is  driven  by  rule  ev/sendl,  which  allows  computation  to  continue  in  both  the 
sender  and  the  receiver. 

Synchronous  communication  introduces  the  possibility  of  deadlocks.  Without  synchronous 
communication,  the  presence  of  a  suspended  atomic  proposition  eva  I  e  d  always  indicates  the 
possibility  of  some  transition,  and  the  combination  of  a  proposition  retn  v  d  and  a  continuation 
cont  f  dd!  can  either  immediately  transition  or  else  are  permanently  in  a  stuck  state.  In  [PS09], 
this  observation  motivated  a  classification  of  atomic  propositions  as  active  propositions  like 
eva  I  e  d  that  independently  drive  computation,  passive  propositions  like  cont  f  d' d  that  do  not 
drive  computation,  and  latent  propositions  like  retn  /  d  that  may  or  may  not  drive  computation 
based  on  the  ambient  environment  of  passive  propositions. 

The  specification  in  Figure  7.8  does  not  respect  this  classification  because  a  proposition  of 
the  form  eval  (reeve)  d  cannot  immediately  transition.  We  could  restore  this  classification  by 
having  a  rule  Vc.  Vr/.  eval  (recv  c)  d  >—>  (await  cd}  for  some  new  passive  linear  predicate  await 
and  then  replacing  the  premise  eval  (recv  C )  D  in  ev/sendl  with  await  C  D. 

Labeled  transitions 

Substructural  operational  semantics  specifications  retain  much  of  the  flavor  of  abstract  machines, 
in  that  we  are  usually  manipulating  expressions  along  with  their  continuations.  In  ordered  spec¬ 
ifications,  continuations  are  connected  to  evaluating  expressions  and  returning  values  only  by 
their  relative  positions  in  the  ordered  context;  in  destination-passing  specifications,  expressions 
and  values  are  connected  to  continuations  by  the  threading  of  destinations. 

Abstract  machines  are  not  always  the  most  natural  way  to  express  a  semantics.  This  observa¬ 
tion  is  part  of  what  motivated  our  discussion  of  the  operationalization  transformation  from  natural 
semantics  (motto:  “natural”  is  our  first  name!)  and  our  informal  discussion  of  statefully-modular 
natural  semantics  in  Section  6.5.5.  In  Chapter  6,  we  showed  that  the  continuation-focused  per¬ 
spective  of  SSOS  allowed  us  to  expose  computation  to  the  ambient  state.  With  the  example  of 
synchronization  above,  we  see  that  destination-passing  SSOS  specifications  also  expose  compu- 
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bind:  exp  - 

>  exp 

- 

> 

prop  pers . 

promise:  dest  -> 

exp 

— 

>  prop  1 

ev/bind : 

eval 

X 

D 

* 

!bind  X 

#|  WAITING: 

eval 

X 

D 

* 

promise 

ev/promise : 

retn 

V 

D 

* 

promise 

ev/f lam: 

eval 

( 

flam 

\x .  Ex 

;  Future  is  complete 
n.  ;  Future  is  waiting  on  a  value 

V  >->  { retn  V  D } . 

Dfuture  X  >->  ???  |# 

D  X  >->  { ! bind  X  V} . 

D  >->  {retn  (flam  \x.  Ex)  D}. 


ev/fappl:  retn  (flam  \x.  Ex)  D1  *  cont  (appl  E2)  D1  D 

>->  {Exists  x.  eval  (Ex)  D  * 

Exists  dfuture.  eval  E2  dfuture  * 
promise  dfuture  x} . 


Figure  7.9:  Semantics  of  call-by-future  functions 


tations  in  the  process  state  to  other  computations ,  which  is  what  allows  the  synchronization  in 
rule  ev/sendl  to  take  place. 

In  small-step  operational  semantics,  labeled  deduction  is  used  to  describe  specifications  like 
the  one  above.  At  a  high  level,  in  a  labeled  transition  system  we  inductively  define  a  small  step 
judgment  e  e'  with  the  property  that 


*  e  e!  if  e  steps  to  e'  by  reducing  some  subterm  send  cv,  to  (), 

*  e  i — e  if  e  steps  to  e  by  reducing  some  subterm  recv  c  to  v,  and 

*  e\  in  parallel  with  e2  (and  possibly  also  in  parallel  with  some  other  e3,  e4,  etc.)  can  step 
to  ej  in  parallel  with  e'2  (and  in  parallel  with  an  unchanged  e3,  e4,  etc.)  if  e4  e[  and 


Labels  essentially  serve  to  pass  messages  up  through  the  inductive  structure  of  a  proposition. 
In  destination-passing  SSOS  semantics,  on  the  other  hand,  the  internal  structure  of  e  is  spread 
out  as  a  series  of  frames  throughout  the  context,  and  so  the  innermost  redexes  of  terms  can  be 
directly  connected.  It  would  be  interesting  (but  probably  quite  nontrivial)  to  consider  a  translation 
from  labeled  deduction  systems  to  destination-passing  SSOS  specifications  along  the  lines  of  the 
operationalization  transformation. 


7.2.3  Futures 

Futures  can  be  seen  as  a  parallel  version  of  call-by-value,  and  the  presentation  in  Figure  7.9 
can  be  compared  to  the  environment  semantics  for  call-by-value  in  Figure  6.19.  We  introduce 
future-functions  as  a  new  kind  of  function  flam  Xx.e  comparable  to  plain- vanilla  call-by-value 
functions  lam  Xx.e,  lazy  call-by-need  functions  lazylam  Xx.e,  and  environment- semantics  func¬ 
tions  envlam  Xx.e.  As  in  the  environment  semantics  specification,  when  a  call-by-future  function 
returns  to  a  frame  rD  e2n  =  appl  re2n,  we  create  a  new  expression  x  by  existential  quantifica¬ 
tion.  However,  instead  of  suspending  the  function  body  on  the  stack  as  we  did  in  Figure  6.19, 
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xi:(eval  r(\x.sx)  (sz)"1  d\) 

X2:(eval  rAx.sxn ^2),  X3:(contrn  (sz)nd2«ii) 

X3:(retn  rAx.sx~l  (I2),  X3:(contrn  (sz)1  ^2  di) 


In  this  phase, 
the  two  computations 
proceed  in  parallel 


X4:(eval  (succx)  df) 

X4:(eval  (succx)  d\) 


xs:(eval  rszn  cfo),  ^(promise  efe  x) 

X7:(eval  rzn  df),  xs:(cont  sued  c?4  df),  X6:(promise  x) 


X4:(eval  x  d$),  xg:(contsuccl  d^  di),  xpfeval rz~l  df),  X8:(contsuccl  d±  df),  ^(promise  cfa  x) 
x.p.{e.va\xd 5),  xg:(cont  sued  d§  d\).  xio:(retn  rzn  c4),  xs  :(cont  sued  g?4  df),  X6:(promise  d%  x) 
xi:(eval  x  df),  xg:(cont  sued  d$  d\).  xn:(retn  rszn  d%),  ^(promise  ^3  x) 
xi:(eval  x  df),  xg:(contsuccl  d§  di),  xn :  (bi  nd  xrszn)  pers 


xi3:(retn  rszn  d$),  xg:(contsuccl  d§  d\),  xi2:(bind  xrszn)  pers 


In  this  phase, 


the  primary  computation  is  stuck 
while  it  waits  on  the  promise 


n  ;  1  ■  1  ■  •  .  .  7.  ,7  ...  7.  wniie  a  wuus  un  uit:  ui 

Remember:  bind  is  persistent,  all  other  propositions  are  linear 

Figure  7.10:  Series  of  process  states  in  an  example  call-by-future  evaluation 


in  Figure  7.9  we  create  a  new  destination  dfuture  and  start  evaluating  the  function  argument 
towards  that  destination  (rule  ev/fappl).  We  also  create  a  linear  proposition  -  promise  dfuture  x 

-  that  will  take  any  value  returned  to  dfuture  and  permanently  bind  it  to  x  (rule  ev/promise).  As 
a  proposition  that  only  exists  during  the  course  of  evaluating  the  argument,  promise  is  analogous 
to  the  black  hole  in  our  specification  of  lazy  call-by-need. 

Futures  use  destinations  to  create  new  and  potentially  disconnected  threads  of  computation, 
which  can  be  seen  in  the  example  evaluation  of  (Ax.sx)  (sz)  -  where  Ax.e  is  interpreted  as  a 
future  function  flam  instead  of  lam  as  before  -  given  in  Figure  7.10.  That  figure  illustrates  how 
spawning  a  future  splits  the  destination  structure  of  the  ordered  context  into  two  disconnected 
threads  of  computation.  This  was  not  possible  in  the  ordered  framework  where  every  compu¬ 
tation  had  to  be  somewhere  specific  in  the  ordered  context  relative  to  the  current  computation 

-  either  to  the  left,  or  to  the  right.  These  threads  are  connected  not  by  destinations  but  by  the 
variable  x,  which  the  primary  computation  needs  the  future  to  return  before  it  can  proceed. 

Note  the  similarity  between  the  commented-out  rule  fragment  in  Figure  7.9  and  the  com¬ 
mented  out  rule  fragments  in  the  specifications  of  call-by-need  evaluation  (Section  6.5.2).  In  the 
call-by-need  specifications,  needing  an  unavailable  value  was  immediately  fatal.  With  specifi¬ 
cations,  needing  an  unavailable  value  is  not  immediately  fatal:  the  main  thread  of  computation 
is  stuck,  but  only  until  the  future’s  promise  is  fulfilled.  (This  again  violates  the  classification  of 
eval  as  active;  as  before,  this  could  again  be  fixed  by  adding  a  new  latent  proposition.) 

The  destination-passing  semantics  of  futures  interact  seamlessly  with  the  semantics  of  syn¬ 
chronization  and  parallelism,  but  not  with  the  semantics  of  recoverable  failure:  we  would  have 
to  make  some  choice  about  what  to  do  when  a  future  signals  failure. 
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eval :  exp  ->  dest  ->  prop  lin. 
retn:  exp  ->  dest  ->  prop  lin. 
cont :  frame  ->  dest  ->  dest  ->  prop  pers . 

ev/letcc:  eval  (letcc  \x.  E  x)  D  >->  {eval  (E  (contn  D) )  D}. 

ev/throw2 :  retn  (contn  DK)  D2  *  ! cont  (throw2  VI)  D2  D 
>->  {retn  VI  DK} . 

Figure  7.11:  Semantics  of  first-class  continuations  (with  letcc) 

7.2.4  First-class  continuations 

First-class  continuations  are  a  sophisticated  control  feature.  Continuations  are  another  name  for 
the  stacks  k  in  abstract  machine  semantics  with  states  k  >  e  and  k<iv  (and  also,  potentially, 
k<  if  we  want  to  be  able  to  return  errors,  as  discussed  in  Section  6.5.4).  First-class  continua¬ 
tions  introduce  a  new  value,  contn  k,  to  the  language.  Programmers  cannot  write  continuations 
k  directly,  just  as  they  cannot  write  locations  /  directly;  rather,  the  expression  r letcc  x.e1  = 
letcc  Ax.ren  captures  the  current  expression  as  a  continuation: 

k  >  letcc  x.e  H >  k  \>  [contn  kjx\e 

There  is  a  third  construct,  rthrow  e\  toe2n  =  throw  rein  re2n  that  evaluates  e\  to  a  value  v\, 
evaluates  e2  to  a  continuation  value  cont  k! ,  and  then  throws  away  the  current  continuation  in 
favor  of  returning  v\  to  k'\ 


k  >  throw  e\  to  e2  H >  (k;  throw  □  to  e2)  >  e± 

[k]  throw  □  to  e2)  <3  V\  H >  (/c;  throw  v\  to  □)  >  e2 
(k;  throw  v\  to  □)  <1  contn  k'  H >  k'  <  v\ 

When  handled  in  a  typed  setting,  a  programming  language  with  first-class  continuations  can  be 
seen  as  a  Curry-How ard  interpretation  of  classical  logic. 

In  destination-passing  SSOS  specifications,  we  never  represent  continuations  or  control  stacks 
k  directly.  However,  we  showed  in  Section  6.3  that  a  control  stack  k  is  encoded  in  the  context 
as  a  series  of  cont  frames.  In  a  destination-passing  specification,  it  is  therefore  reasonable  to 
associate  a  k  continuation  with  the  destination  d  that  points  to  the  topmost  frame  cont  f  dd'  in 
the  stack  k  encoded  in  the  process  state.  Destinations  stand  for  continuations  in  much  the  same 
way  that  introduced  variables  x  in  the  environment  semantics  stand  for  the  values  v  they  are 
bound  to  through  persistent  bind  xv  propositions.  In  Figure  7.11,  the  rule  ev/letcc  captures  the 
current  continuation  d  as  an  expression  cont  d  that  is  substituted  into  the  subexpression.  In  rule 
ev/throw2,  the  destination  dk  held  by  the  value  contn  dk  gets  the  value  v\  returned  to  it;  the 
previous  continuation,  represented  by  the  destination  d,  is  abandoned. 

Just  as  it  is  critical  for  the  bind  predicate  in  the  environment  semantics  to  be  persistent,  it  is 
necessary,  when  dealing  with  first-class-continuations,  to  have  the  cont  predicate  be  persistent. 
As  discussed  in  Section  7.1.2,  it  does  not  change  the  behavior  of  any  SSOS  specifications  we 
have  discussed  if  linear  cont  predicates  are  turned  into  persistent  cont  predicates. 
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Turning  cont  into  a  persistent  predicate  does  not,  on  its  own,  influence  the  transitions  that  are 
possible,  so  in  a  sense  we  have  not  changed  our  SSOS  semantics  very  much  in  order  to  add  first- 
class  continuations.  However,  the  implicit  representation  of  stacks  in  the  context  does  complicate 
adequacy  arguments  for  the  semantics  in  Figure  7.11  relative  to  the  transition  rules  given  above. 
We  will  return  to  this  point  in  Section  9.6  when  we  discuss  generative  invariants  that  apply  to 
specifications  using  first-class  continuations. 
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Chapter  8 

Linear  logical  approximation 


A  general  recipe  for  constructing  a  sound  program  analysis  is  to  (1)  specify  the  operational  se¬ 
mantics  of  the  underlying  programming  language  via  an  interpreter,  and  (2)  specify  a  terminat¬ 
ing  approximation  of  the  interpreter  itself.  This  is  the  basic  idea  behind  abstract  interpretation 
[CC77],  which  provides  techniques  for  constructing  approximations  (for  example,  by  exhibiting 
a  Galois  connection  between  concrete  and  abstract  domains).  The  correctness  proof  must  estab¬ 
lish  the  appropriate  relationship  between  the  concrete  and  abstract  computations  and  show  that 
the  abstract  computation  terminates.  We  need  to  vary  both  the  specification  of  the  operational  se¬ 
mantics  and  the  form  of  the  approximation  in  order  to  obtain  various  kinds  of  program  analyses, 
sometimes  with  considerable  ingenuity. 

In  this  chapter,  which  is  mostly  derived  from  [SP1  la],  we  consider  a  new  class  of  instances  in 
the  general  schema  of  abstract  interpretation  that  is  based  on  the  approximation  of  SSOS  spec¬ 
ifications  in  SLS.  We  apply  logically  justified  techniques  for  manipulating  and  approximating 
SSOS  specifications  to  yield  approximations  that  are  correct  by  construction.  The  resulting  per¬ 
sistent  logical  specifications  can  be  interpreted  and  executed  as  saturating  logic  programs,  which 
means  that  derived  specifications  are  executable  program  analyses. 

The  process  described  in  this  chapter  does  not  claim  to  capture  or  derive  all  possible  inter¬ 
esting  program  analyses.  The  methodology  we  describe  only  derives  over-approximations  (or 
may-  analyses)  that  ensure  all  possible  behaviors  will  be  reported  by  the  analysis.  There  is  a 
whole  separate  class  of  under- approximations  (or  must-  analyses)  which  ensure  that  if  a  behav¬ 
ior  is  reported  by  the  analysis  it  is  possible;  we  will  not  consider  under- approximations  here 
[GNRT10].  Instead,  we  argue  for  the  utility  of  our  methodology  by  deriving  two  fundamental 
and  rather  different  over- approximation-based  analyses:  a  context-insensitive  control  flow  anal¬ 
ysis  (Section  8.4)  and  an  alias  analysis  (Section  8.5).  Might  and  Van  Horn’s  closely  related 
“abstracting  abstract  machines”  methodology,  described  in  Section  8.6  along  with  other  related 
work,  suggests  many  more  examples. 


8.1  Saturating  logic  programming 

Concurrent  SLS  specifications  where  all  positive  atomic  propositions  are  persistent  (and  where 
all  inclusions  of  negative  propositions  in  positive  propositions  -  if  there  are  any  -  have  the  form 
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\A~,  not  IA  or  \A~)  have  a  distinct  logical  and  operational  character.  Logically,  by  the  discus¬ 
sion  in  Section  3.7  we  are  justified  in  reading  such  specifications  as  specifications  in  persistent 
intuitionistic  logic  or  persistent  lax  logic.  Operationally,  while  persistent  specifications  have  an 
interpretation  as  transition  systems,  that  interpretation  is  not  very  useful.  This  is  because  if  we 
can  take  a  transition  once  -  for  instance,  using  the  rule  a  {b}  to  derive  the  persistent  atomic 
proposition  b  from  the  persistent  atomic  proposition  a  -  none  of  the  facts  that  enabled  that  tran¬ 
sition  can  be  consumed,  as  all  facts  are  persistent.  Therefore,  we  can  continue  to  make  the  same 
transition  indefinitely;  in  the  above-mentioned  example,  such  transitions  will  derive  multiple 
redundant  copies  of  b. 

The  way  we  will  understand  the  meaning  of  persistent  and  concurrent  SLS  specifications 
is  in  terms  of  saturation.  A  process  state  (T;  A)  is  saturated  relative  to  the  signature  £  if,  for 
any  step  (T;  A)  (T':  A'),  it  is  the  case  that  T  and  T'  are  the  same  (the  step  unified  no 
distinct  variables  and  introduced  no  new  variables),  x\(p+ers)  G  A'  implies  x:(p+ers)  G  A,  and 
x:A~  pers  G  A'  implies  x:A~  pers  G  A.  This  means  that  a  signature  with  a  rule  that  produces 
new  variables  by  existential  quantification,  like  a  >— ►  { 3 .7: .  b  ( .x; ) }  has  no  saturated  process  states 
where  a  is  present.  We  will  cope  with  rules  of  this  form  by  turning  them  into  rules  of  the  form 
a  >— >•  (zte.b(x)  •  x  =  t}  for  some  t,  neutralizing  the  free  existential  variable  as  a  notational 
definition.  Notions  of  saturation  that  can  cope  with  free  existentially  generated  variables  in  other 
ways  are  interesting,  but  are  beyond  the  scope  of  this  dissertation. 

A  minimal  saturated  process  state  is  one  with  no  duplicated  propositions;  we  can  compute 
a  minimal  process  state  from  any  saturated  process  state  by  removing  duplicates.  For  purely 
persistent  specifications  and  process  states,  minimal  saturated  process  states  are  unique  when 
they  exist:  if  (T;  A)  (dA;  Ai)  and  (T;  A)  ( T  2 ;  A2)  and  both  (dA;  Ai)  and  ( d/2 ;  A2)  are 

saturated,  then  (dA;  Ai)  and  (d/2;  A2)  have  minimal  process  states  that  differ  only  in  the  names 
of  variables. 

Furthermore,  if  a  saturated  process  state  exists  for  a  given  initial  process  state,  the  minimal 
saturated  process  state  can  be  computed  by  the  usual  forward-chaining  semantics  where  only 
transitions  that  derive  new  persistent  atomic  propositions  or  equalities  t  =  s  are  allowed.  This 
forward-chaining  logic  programming  interpretation  of  persistent  logic  is  extremely  common, 
usually  associated  with  the  logic  programming  language  Datalog.  A  generalization  of  Datalog 
formed  the  basis  of  McAllester  and  Ganzinger’s  meta-complexity  results:  they  gave  a  cost  se¬ 
mantics  to  their  logic  programming  language,  and  then  they  used  that  cost  semantics  to  argue  that 
many  program  analyses  could  be  efficiently  implemented  as  logic  programs  [McA02,  GM02]. 
Persistent  SLS  specifications  can  be  seen  as  an  extension  of  McAllester  and  Ganzinger’s  lan¬ 
guage  (and,  transitively,  as  a  generalization  of  Datalog).  We  will  not  deal  with  cost  semantics  or 
efficiency,  however,  as  our  use  of  higher-order  abstract  syntax  appears  to  complicate  McAllester 
and  Ganzinger’s  cost  semantics. 

Just  as  the  term  persistent  logic  was  introduced  in  Chapter  2  to  distinguish  what  is  tradi¬ 
tionally  referred  to  as  intuitionistic  logic  from  intuitionistic  ordered  and  linear  logic,  we  will 
use  the  term  saturating  logic  programming  to  distinguish  what  is  traditionally  referred  to  as 
forward-chaining  logic  programming  from  the  forward-chaining  logic  programming  interpreta¬ 
tion  that  makes  sense  for  ordered  and  linear  logical  specifications.  There  is  a  useful  variant  of 
substructural  forward  chaining,  forward  chaining  with  quiescence  [LPPW05],  that  acts  like  sat¬ 
urating  logic  programming  on  purely-persistent  specifications  and  like  simple  committed-choice 
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hd:  dest  ->  dest  ->  prop  pers . 
left:  tok  ->  dest  ->  dest  ->  prop  pers. 
right:  tok  ->  dest  ->  dest  ->  prop  pers. 

stack:  tok  ->  dest  ->  dest  ->  prop  pers. 

push:  hd  L  M  *  left  X  M  R 

>->  {Exists  m.  stack  X  L  m  *  hd  m  R  *  m  ==  fm  X  L  M  R} . 

pop:  stack  X  L  Ml  *  hd  Ml  M2  *  right  X  M2  R  >->  {hd  L  R} . 

Figure  8.1:  Skolemized  approximate  version  of  the  PDA  specification  from  Figure  7.2 


forward  chaining  on  specifications  with  no  persistent  propositions.  We  refined  this  interpretation 
and  gave  it  a  cost  semantics  in  [SP08],  but  this  more  sophisticated  interpretation  is  not  relevant 
to  the  examples  in  this  dissertation. 


8.2  Using  approximation 

The  meta- approximation  theorem  that  we  present  in  the  next  section  gives  us  a  way  of  building 
abstractions  from  specifications  and  initial  process  states:  we  interpret  the  approximate  version 
of  the  program  as  a  saturating  logic  program  over  that  initial  state.  If  we  can  obtain  a  saturated 
process  state  using  the  logic  programming  interpretation,  it  is  an  abstraction  of  the  initial  process 
state.  It  is  not  always  possible  to  obtain  a  saturated  process  state  using  the  logic  programming 
interpretation,  however:  rules  like  Vx.a(x)  >— >  { a  fs  ( ) )}  and  Vx.  a  fa:)  >— *■  {3y.a(y)}  lead  to 
non-termination  when  interpreted  as  saturating  logic  programs.  Important  classes  of  programs 
are  known  to  terminate  in  all  cases,  such  as  those  in  the  Datalog  fragment  where  the  only  terms 
in  the  program  are  variables  and  constants.  Structured  terms  (like  expressions  encoded  in  the  LF 
type  exp)  fall  outside  the  Datalog  fragment. 

Consider  the  destination-passing  PDA  specification  from  Figure  7.2.  If  we  simply  turn  all 
linear  predicates  persistent,  the  first  step  in  the  approximation  methodology,  then  the  push  rule 
will  lead  to  non-termination  because  the  head  3m. stack  x  l  m» hd  m  r  introduces  a  new  existential 
parameter  m.  We  can  cope  by  adding  a  new  conclusion  rri  =  £;  adding  new  conclusions  is  the 
second  step  in  the  approximation  methodology.  This,  however,  means  we  have  to  pick  a  t.  The 
most  general  starting  point  for  selecting  a  t  is  to  apply  Skolemization  to  the  rule.  By  moving 
the  existential  quantifier  for  m  in  front  of  the  implicitly  quantified  X,  L,  M,  and  R,  we  get  a 
Skolem  function  fm  X  L  M  R  that  takes  four  arguments.  Letting  t  =  fm  X  L  M  R  results  in  the 
SLS  specification/logic  program  shown  in  Figure  8.1.  (Remember  that,  because  the  specification 
in  Figure  8. 1  is  purely  persistent,  we  will  omit  the  optional  !  annotation  described  in  Section  4.5, 
writing  hd  L  M  instead  of  !  hd  L  M  and  so  on.) 

Notice  that  we  have  effectively  taken  a  specification  that  freely  introduces  existential  quan¬ 
tification  (and  that  therefore  definitely  will  not  terminate  when  interpreted  as  a  saturating  logic 
program)  and  produced  a  specification  that  uses  structured  terms  fmALK M.  But  the  intro¬ 
duction  of  structured  terms  takes  us  outside  the  Datalog  fragment,  which  may  also  lead  to  non- 
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termination!  This  is  not  as  bad  as  it  may  seem:  when  we  want  to  treat  a  specification  with 
structured  terms  as  a  saturating  logic  program,  it  is  simply  necessary  to  reason  explicitly  about 
termination.  Giving  any  finite  upper  bound  on  the  number  of  derivable  facts  is  a  simple  and 
sufficient  criteria  for  showing  that  a  saturating  logic  program  terminates. 

Skolem  functions  provide  a  natural  starting  point  for  approximations,  even  though  the  Skolem 
constant  that  arises  directly  from  Skolemization  is  usually  more  precise  than  we  want.  From 
the  starting  point  in  Figure  8.1,  however,  we  can  define  approximations  simply  by  instantiating 
the  Skolem  constant.  For  instance,  we  can  equate  the  existentially  generated  destination  in  the 
conclusion  with  the  one  given  in  the  premise  (letting  fm  =  XX.XL.XM.XR.  M ).  The  result  is 
equivalent  to  this  specification: 

push:  hd  L  M  *  left  X  M  R  >->  {stack  X  L  M  *  hd  M  R} . 
pop:  stack  X  L  Ml  *  hd  Ml  M2  *  right  X  M2  R  >->  {hd  L  R} . 

This  substitution  yields  a  precise  approximation  that  exactly  captures  the  behavior  of  the  original 
PDA  as  a  saturating  logic  program. 

To  be  concrete  about  what  this  means,  let  us  recall  how  the  PDA  works  and  what  it  means 
for  it  to  accept  a  string.  To  use  the  linear  PDA  specification  in  Figure  7.2,  we  encode  a  string  as 
a  sequence  of  linear  atomic  propositions  ptok1 . . .  ptokn,  where  each  ptok,  either  has  the  form 
\efttoki  dj  dj+i  or  the  form  right  toki  dj  d;+i.  The  term  toki  that  indicates  whether  we’re  talking 
about  a  left/right  parenthesis,  curly  brace,  square  brace,  etc.,  and  d0  . . .  dn+i  arc  n  +  2  constants 
of  type  dest }  Let  A  =  (/z.: (hd  d0  di)  eph^xp^ptok^  eph, . . .  ,xn:{ptokn)  eph ).  The  PDA  ac¬ 
cepts  the  string  encoded  as  ptok1 . . .  ptokn  if  and  only  if  there  is  a  trace  under  the  signature  in 
Figure  7.2  where  A  (qA  x:(hd  d0  dn+i)  eph). 

Now,  say  that  we  turn  the  predicates  persistent  and  run  the  program  described  by  the  push 
and  pop  rules  above  as  a  saturating  logic  program,  obtaining  a  saturated  process  state  Asat  from 
the  initial  process  state  (/z: (hd  d0  di)  pers ,  x\ -.(ptok^  pers , . . . ,  xn:(ptokn )  pers ).  (We  can  see 
from  the  structure  of  the  program  that  LF  context  will  remain  empty.)  The  meta-approximation 
theorem  ensures  that,  if  the  original  PDA  accepted,  then  the  proposition  hd  d0  dn+1  is  in  Asat.  It 
just  so  happens  to  be  the  case  that  the  converse  is  also  true  -  if  hd  d0  dn+1  is  in  Asat,  the  original 
PDA  specification  accepts  the  string.  That  is  why  we  say  we  have  a  precise  approximation. 

On  the  other  hand,  if  we  set  m  equal  to  /  (letting  fm  =  XX.XL.XM.XR.  L ),  the  result  is 
equivalent  to  this  specification: 

push:  hd  L  M  *  left  X  M  R  >->  {stack  X  L  L  *  hd  L  R} . 
pop:  stack  X  L  Ml  *  hd  Ml  M2  *  right  X  M2  R  >->  {hd  L  R} . 

If  the  initial  process  state  contains  a  single  atomic  proposition  hd  d0  di  in  addition  to  all  the  left 
and  right  facts,  then  the  two  rules  above  maintain  the  invariant  that,  as  new  facts  are  derived,  the 
first  argument  of  hd  and  the  second  and  third  arguments  of  stack  will  always  be  d0.  These  argu¬ 
ments  are  therefore  vestigial,  like  the  extra  arguments  to  eval  and  retn  discussed  in  Section  7.1.1, 
and  we  can  remove  them  from  the  approximate  specification,  resulting  in  the  specification  in 
Figure  8.2. 

'We  previously  saw  destinations  as  only  inhabited  by  parameters,  but  the  guarantees  given  by  the  meta¬ 
approximation  theorem  are  clearer  when  the  initial  state  contains  destinations  that  are  constants. 
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hd:  dest  ->  prop  pers . 

left:  tok  ->  dest  ->  dest  ->  prop  pers. 
right:  tok  ->  dest  ->  dest  ->  prop  pers. 
stack:  tok  ->  prop  pers. 

push:  hd  M  *  left  X  M  R  >->  {stack  X  *  hd  R} . 
pop:  stack  X  *  hd  M2  *  right  X  M2  R  >->  {hd  R} . 

Figure  8.2:  Approximated  PDA  specification 


This  logical  approximation  of  the  original  PDA  accepts  if  we  run  saturating  logic  program¬ 
ming  from  the  initial  process  state  (/i:(hd  pers,  xpfptokf)  pers, . ..,  xn:(ptokn)  pers)  and 
hd  dn+1  appears  in  the  saturated  process  state.  Again,  the  meta-approximation  theorem  ensures 
that  any  string  accepted  by  the  original  PDA  will  also  be  accepted  by  any  approximation.  This 
approximation  will  additionally  accept  every  string  where,  for  every  form  of  bracket  tok,  at  least 
one  left  tok  appears  before  any  of  the  right  tok.  The  string  []]](()  would  be  accepted  by  this 
approximated  PDA,  but  the  string  ()][[]  would  not,  as  the  first  right  square  bracket  appears 
before  any  left  square  bracket. 


8.3  Logical  transformation:  approximation 

The  approximation  strategy  demonstrated  in  the  previous  section  is  quite  simple:  a  signature  in 
an  ordered  or  linear  logical  specification  can  be  approximated  by  making  all  atomic  propositions 
persistent,  and  a  flat  rule  Vx.  A+  >— >  { B+)  containing  only  persistent  atomic  propositions  can 
be  further  approximated  by  removing  premises  from  A+  and  adding  conclusions  to  B+.  Of 
particular  practical  importance  are  added  conclusions  that  neutralize  an  existential  quantification 
with  a  notational  definition.  The  approximation  procedure  doesn’t  force  us  to  neutralize  all 
such  variables  in  this  way.  However,  as  we  explained  above,  failing  to  do  so  almost  ensures 
that  the  specification  cannot  be  run  as  a  saturating  logic  program,  and  being  able  to  interpret 
specifications  as  saturating  logic  programs  is  a  prerequisite  for  applying  the  meta-approximation 
theorem  (Theorem  8.4). 

First,  we  define  what  it  means  for  a  specification  to  be  an  approximate  version  of  another 
specification: 

Definition  8.1.  A  flat,  concurrent,  and  persistent  specification  £a  is  an  approximate  version 
of  another  specification  £  if  every  predicate  a  :  Axpri  .  .  .  \  l.i:n.Tn.  prop  Ivl  declared  in  £  has  a 
corresponding  predicate  a  :  fix]  :T|  . . .  IIxn:rn.  prop  pers  in  £a  and  if  for  every  rule  r  :  Vx.  Af  >— ► 
(Aj }  in  £  there  is  a  corresponding  rule  r  :  Vx.  7i ,  >— *•  { Bf }  in  £a  such  that: 

*  The  existential  quantifiers  in  Af  and  Af  are  identical  to  the  existential  quantifiers  in  Bf 
and  Bf  (respectively), 

*  For  each  premise  (pfers  ort  =  s)  in  Bf,  the  same  premise  appears  in  Af,  and 

*  For  each  conclusion  (pfvl  or  I  —  s)  in  A f,  the  same  premise  appears  in  Bf . 
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While  approximation  is  a  program  transformation,  it  is  not  a  deterministic  one:  Definition  8.1 
describes  a  whole  family  of  potential  approximations.  Even  the  nondeterministic  operationaliza¬ 
tion  transformation  was  just  a  bit  nondeterministic,  giving  several  options  for  operationalizing 
any  given  deductive  rule.  The  approximation  transformation,  in  contrast,  needs  explicit  infor¬ 
mation  from  the  user:  which  premises  should  be  removed,  and  what  new  conclusions  should  be 
introduced?  While  there  is  value  in  actually  implementing  the  operationalization,  defunction¬ 
alization,  and  destination-adding  transformations,  applying  approximation  requires  intelligence. 
Borrowing  a  phrase  from  Danvy,  approximation  is  a  candidate  for  “mechanization  by  graduate 
student”  rather  than  mechanization  by  computer. 

Next,  we  give  a  definition  of  what  it  means  for  a  state  to  be  an  approximate  version  (we  use 
the  word  “generalization”)  of  another  state  or  a  family  of  states. 

Definition  8.2.  The  persistent  process  state  (  Tfl:  Ag)  is  a  generalization  of  the  process  state 
(T;  A)  if  there  is  a  substitution  h  a  :  $  such  that,  for  all  atomic  propositions  pfvl  =  a  / 1  ...  tn 
in  A,  there  exists  a  persistent  proposition  p+ers  =  a  ( rr/; , ) . . .  (atn)  in  Ag. 

One  thing  we  might  prove  about  the  relationship  between  process  states  and  their  generaliza¬ 
tions  is  that  generalizations  can  simulate  the  process  states  they  generalize:  that  is,  if  Ag)  is  a 
generalization  of  (T;  A)  and  ('h;  A)  ('h7;  A')  then  Ag)  (dP ;  A^)  where  f&'g;  A'g) 
is  a  generalization  of  (T7;  A7).  This  property,  one-step  simulation ,  is  true  [SPlla,  Lemma  6], 
and  we  will  prove  it  as  a  corollary  on  the  way  to  the  proof  of  Theorem  8.4.  However,  we  are 
not  interested  in  generalization  per  se;  rather,  we’re  interested  in  a  stronger  property,  abstraction, 
that  is  defined  in  terms  of  generalization: 

Definition  8.3.  A  process  state  (Ta;  Aa)  is  an  abstraction  of  (  T0:  A0)  under  the  signature  E  if 
for  any  trace  ('To;  A0)  (\Dn;  An),  ('ha;  Aa)  is  a  generalization  off Ln;  An). 

An  abstraction  of  the  process  state  (  T0:  A0)  is  therefore  a  single  process  state  that  cap¬ 
tures  all  possible  future  behaviors  of  the  state  ('Tq;  A0)  because,  for  any  atomic  proposition 
pf  =  afi . .  .tn  that  may  be  derived  by  evolving  (T0;  A0),  there  is  a  substitution  o  such  that 
a  (crti) . . .  ( otn )  is  already  present  in  the  abstraction.  The  meta-approximation  theorem  relates 
this  definition  of  abstraction  to  the  concept  of  approximate  versions  of  programs  as  specified  by 
Definition  8.1. 

Theorem  8.4  (Meta-approximation).  If  E a  is  an  approximate  version  of  E,  and  if  there  is  a 
state  ('ho!  A0)  well-formed  according  to  E,  and  if  for  some  TJ,  h  a  :  T0  there  is  a  trace 
('h'o;  cr Aq)  (^a!  Aa)  such  that  (vha;  Aa)  is  a  saturated  process  state,  then  ('ha;  Aa)  is  an 
abstraction  of  (f& 0;  AQ). 

Proof.  The  central  lemma  is  one-step  simulation,  mentioned  above,  which  is  established  by  in¬ 
duction  on  the  structure  of  the  step.  A  multi-step  simulation  lemma  immediately  follows  by 
induction  on  traces:  If  Ea  is  an  approximate  version  of  E,  (  T(/:  Ag)  is  a  generalization  of  (T;  A) 
and  (T;  A)  ('h7;  A7)  then  g,  Ag)  ('h^;  A7g)  where  fI>'glA'g)  is  a  generalization  of 
('h7;  A7)  [SP1  la,  Lemma  7]. 
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The  monotonicity  lemma  establishes  that  transitions  in  a  purely-persistent  specification  only 
increase  the  generality  of  a  process  state:  if  (T;  A)  (*&';  A')  and  £  defines  no  ordered  or 
mobile  predicates,  then  ('F/;  A')  is  a  generalization  of  (T:  A)  [SPlla,  Lemma  8]. 

We  use  the  monotonicity  lemma  to  prove  the  saturation  lemma:  if  (\P;  A)  -4  (tfa;  As),  £ 
defines  no  ordered  or  mobile  predicates,  and  (\PS;  As)  is  saturated,  then  whenever  (T:  A) 

('F/;  A')  (\PS;  As)  is  a  generalization  of  (vh/;  A').  The  proof  proceeds  by  induction  on  the  last 
steps  of  the  trace  witnessing  (\&;  A)  ('h/;  A'). 

*  In  the  base  case,  ('T;  A)  =  ('L;  A')  and  we  appeal  to  monotonicity. 

*  In  the  inductive  case,  we  have  (T;  A)  ('T";  A")  (vh/;  A').  By  the  induction  hy¬ 

pothesis  we  have  that  (Ts.;  As)  is  a  generalization  of  ('F//;  A"),  and  by  one-step  simulation 
(TL;  As)  ('T/s;  A'J  such  that  (\H's ;  A'J  is  a  generalization  of  ('L;  A').  But  saturation 
means  that  T,,  =  T's  and  that  all  the  propositions  in  A's  already  appear  in  As,  so  (\DS;  As) 
must  be  a  generalization  of  (T';  A')  as  well.  [SPlla,  Lemma  9] 

Finally,  we  prove  meta-approximation.  Consider  a  trace  (T'0;  A0)  (^n;A n)  of  the 

original  program.  By  the  simulation  lemma,  there  is  a  trace  (\D0;  crA0)  ( TJ  A'J  where 

(TJ;  A'n)  is  a  generalization  of  (  Tn;  A„).  By  the  saturation  lemma,  (\P0;  Aa)  is  a  generalization 
of  (TJ;  A'J,  and  so  because  generalization  is  transitive,  (T,,:  AJ  is  a  generalization  of  ('T0:  A0), 
which  is  what  we  needed  to  show  [SPlla,  Theorem  3].  □ 

The  meaning  of  the  meta-approximation  theorem  is  that  if  (1)  we  can  approximate  a  specifi¬ 
cation  and  an  initial  state  and  (2)  we  can  obtain  a  saturated  process  state  from  that  approximate 
specification  and  approximate  initial  state,  then  the  saturated  process  state  captures  all  possible 
future  behaviors  of  the  (non- approximate)  initial  state. 


8.4  Control  flow  analysis 

The  initial  process  state  for  destination-passing  SSOS  specifications  generally  has  the  form 
(d:dest;  x:(eval  t  d))  for  some  program  represented  by  the  LF  term  t  =  re~l.  This  means  that 
we  can  use  the  meta-approximation  result  to  derive  abstractions  from  initial  expressions  e  using 
the  saturating  logic  programming  interpretation  of  approximated  SSOS  specifications. 

A  control  flow  analysis  is  a  fundamental  analysis  on  functional  programs,  attributed  to  Shiv¬ 
ers  [Shi88].  It  is  used  for  taking  an  expression  and  “determining  for  each  subexpression  a  hope¬ 
fully  small  number  of  functions  that  it  may  evaluate  to;  thereby  it  will  determine  where  the  flow 
of  control  may  be  transferred  to  in  the  case  where  the  subexpression  is  the  operator  of  a  function 
application”  [NNH05,  p.  142].  That  is,  we  want  to  take  a  program  and  find,  for  every  subex¬ 
pression  e  of  that  unevaluated  program,  all  the  values  v  that  the  subexpression  may  evaluate  to 
over  the  course  of  evaluating  the  program  to  a  value.  Because  we  are  talking  about  subexpres¬ 
sions  of  the  unevaluated  program,  the  answer  might  not  be  unique.  Consider  the  evaluation  of 
(A/  . . .  (/  (A y  ...))...(/  (A 2  ...))...)  (Xx.x).  The  function  Xx.x  gets  bound  to  /  and  therefore 
may  get  called  twice,  once  with  the  argument  (A y  . . .)  and  once  with  the  argument  (Xz  . . .).  The 
subexpression  x  of  Xx.x  can  therefore  evaluate  to  (A y  . . .)  in  the  context  of  the  call  /  (A y  . . .) 
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and  to  (A z  . . .)  in  the  context  of  the  call  /  (A z  . . .).  As  a  may-analysis,  the  output  of  a  control 
flow  analysis  is  required  to  report  both  of  these  possibilities.2 

When  we  use  a  control  flow  analysis,  it  is  relevant  that  the  calculation  of  which  subexpres¬ 
sions  evaluate  to  which  values  is  done  in  service  of  a  different  goal:  namely,  determining  which 
functions  may  be  called  from  which  calling  sites.  However,  the  ultimate  goal  of  control  flow  anal¬ 
ysis  is  irrelevant  to  our  discussion  of  deriving  control  flow  analyses  from  SSOS  specifications, 
so  we  will  concentrate  on  the  question  of  which  subexpressions  evaluate  to  which  values.  Before 
we  begin,  however,  we  will  address  the  issue  of  what  it  even  means  to  be  a  (closed)  subterm  of 
an  expression  e  that  has  been  encoded  with  higher-order  abstract  syntax  into  the  canonical  forms 
of  LF. 

8.4.1  Subexpressions  in  higher-order  abstract  syntax 

When  given  a  term  a  (be c),  it  is  clear  that  there  are  three  distinct  subterms:  the  entire  term, 
b  c  c,  and  c.  Therefore,  it  is  meaningful  to  bound  the  size  of  a  saturated  process  state  using 
some  function  that  depends  on  the  number  of  subterms  of  the  original  term.  But  what  are  the 
subterms  of  lam  (Ax.  appxx),  and  how  can  we  write  a  saturating  logic  program  that  derives  all 
those  subterms?  The  rule  for  application  is  easy: 

sub/app  :  Vei:exp.  Ve2:exp.  subterms(app  e1  e2)  >— >  {subterms  e\  •  subterms  e2} 

What  about  the  rule  for  lambda  abstractions?  Experience  with  LF  says  that,  when  we  open  up 
a  binder,  we  should  substitute  a  fresh  variable  into  that  binder.  This  would  correspond  to  the 
following  rule: 

sub/lam/ohno  :  Ve:exp  — >  exp.  subterms(lam(Ax.ex))  {3x.  subterms(e  x)} 

The  rule  sub/lam/ohno  will,  as  we  have  discussed,  lead  to  nontermination  when  we  interpret 
the  rules  as  a  saturating  logic  program.  The  solution  is  to  apply  Skolemization  as  described  in 
Section  8.2,  which  introduces  a  new  constant  we  will  call  var.  The  rule  sub/lam/ohono  can  then 
be  approximated  as  a  terminating  rule: 

sub/lam  :  Ve:exp  — >  exp.  subterms(lam(Ax.ex))  (subterms(e(var(Ax.ex)))} 

The  subterms  of  any  closed  term  e  of  LF  type  exp  can  then  be  enumerated  by  running  this  sat¬ 
urating  logic  program  starting  with  the  fact  subterms(e),  where  subterms  is  a  persistent  positive 
proposition.  We  start  counting  subterms  from  the  outside,  and  stop  when  we  reach  a  variable  rep¬ 
resented  by  a  term  var(Ax.e).  The  logic  program  and  discussion  above  imply  that  there  are  three 
distinct  subterms  of  lam  (Ax.  app  xx):  the  entire  term,  app  (var(Ax.  appxx))  (var(Ax.  app xx)), 
and  var(Ax.  appxx). 

Another  solution,  discussed  in  the  next  section,  is  to  uniquely  tag  the  lambda  expression 
with  a  label.  This  has  the  same  effect  of  allowing  us  to  associate  the  variable  x  with  a  different 
concrete  term,  the  tag,  that  represents  the  site  where  x  was  bound. 

2This  statement  assumes  that  both  of  the  calling  sites  /  (A y  . . .)  and  /  (A z  . . .)  are  reachable:  the  control  flow 
analysis  we  derive  performs  some  dead-code  analysis,  and  it  may  not  report  that  x  evaluates  to  (A y  . . .),  for  instance, 
if  the  call  f  (A y  . . .)  is  certain  to  never  occur. 
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bind:  exp  — >  exp  ->  prop  pers . 
eval :  exp  ->  dest  ->  prop  lin. 
retn:  exp  ->  dest  ->  prop  lin. 
cont :  frame  ->  dest  ->  dest  ->  prop  lin. 


ev/bind : 

eval 

X  D  *  !! 

bind 

X  V  > 

-> 

{ retn  V  D } . 

ev/lam: 

eval 

(lam  \x 

.  E  x 

:)  D  > 

-> 

{retn  (lam  \x.  E  x 

)  D}  . 

ev/app : 

eval 

(app  El 

E2 ) 

D 

>-> 

{ Exists 

dl . 

eval 

El 

dl  *  cont  (appl  E2 

)  dl  D} . 

ev/appl : 

retn 

(lam  \x 

.  E  x 

:)  Dl 

* 

cont  (appl  E2)  Dl  D 

>-> 

{ Exists 

d2  . 

eval 

E2 

d2  *  cont  (app2  \x 

.Ex)  d2 

ev/app2 : 

retn 

V2  D2  * 

cont 

(app2 

\ x .  Ex)  D2  D 

>-> 

{ Exists 

x.  ! 

bind 

X 

V  * 

Exists 

d3 . 

eval 

(E 

x)  d3  *  cont  app3 

d3  D). 

ev/app3 : 

retn 

V  D3  * 

cont 

app  3 

D3 

D  >->  { retn  V  D } . 

Figure  8.3:  Alternative  environment  semantics  for  CBV  evaluation 


8.4.2  Environment  semantics 

The  starting  point  for  deriving  a  control  flow  analysis  is  the  environment  semantics  for  call-by- 
value  shown  in  Figure  8.3.  It  differs  from  the  environment  semantics  shown  in  Figure  6.19  in 
three  ways.  First  and  foremost,  it  is  a  destination-passing  specification  instead  of  an  ordered 
abstract  machine  specification,  but  that  difference  is  accounted  for  by  the  destination-adding 
transformation  in  Chapter  7.  A  second  difference  is  that  the  existentially  generated  parame¬ 
ter  x  associated  with  the  persistent  proposition  bindxn  is  introduced  as  late  as  possible  in  the 
multi-stage  protocol  for  evaluating  an  application  (rule  ev/app2  in  Figure  8.3),  not  as  early  as 
possible  (rule  ev/appenvl  in  Figure  6.19).  The  third  difference  is  that  there  is  an  extra  frame 
app3  and  an  extra  rule  ev/app3  that  consumes  such  frames.  The  app3  frame  is  an  important  part 
of  the  control  flow  analysis  we  derive,  but  in  [SP1  la]  the  addition  of  these  frames  was  otherwise 
unmotivated.  Based  on  our  discussion  of  the  logical  correspondence  in  Chapters  5  and  6,  we 
now  have  a  principled  account  for  this  extra  frame  and  rule:  it  is  precisely  the  pattern  we  get 
from  operationalizing  a  natural  semantics  without  tail-recursion  optimization  and  then  applying 
defunctionalization  and  destination-adding. 

8.4.3  Approximation  to  OCFA 

In  order  for  us  to  approximate  Figure  8.3  to  derive  a  finite  control  flow  analysis,  we  turn  all  linear 
atomic  propositions  persistent  and  then  must  deal  with  the  variables  introduced  by  existential 
quantification.  The  variable  x  introduced  in  ev/app2  will  be  equated  with  var(A x.E  x),  which  is 
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bind:  exp  — >  exp  ->  prop  pers . 

eval :  exp  — >  exp  ->  prop  pers . 

retn:  exp  ->  exp  ->  prop  pers. 

cont :  frame  ->  exp  ->  exp  ->  prop  pers . 


ev/bind:  eval  X  D  *  bind  X  V  >->  {retn  V  D} . 


ev/lam: 
ev/app : 


eval  (lam  \x.  E  x)  D  >->  {retn  (lam  \x.  Ex)  D}. 
eval  (app  El  E2)  D 

>->  {Exists  dl .  eval  El  dl  *  cont  (appl  E2)  dl  D  * 
dl  ==  El} . 


ev/appl :  retn  (lam  \x.  Ex)  Dl  *  cont  (appl  E2)  Dl  D 

>->  {Exists  d2 .  eval  E2  d2  *  cont  (app2  \x.  E  x)  d2  D  * 
d2  ==  E2 } . 


ev/app2 :  retn  V2  D2  *  cont  (app2  \x.  Ex)  D2  D 
>->  {Exists  x.  bind  x  V  * 

Exists  d3 .  eval  (E  x)  d3  *  cont  app3  d3  D  * 
x  ==  var  (\x.  Ex)* 
d3  ==  E  x} . 


ev/app3:  retn  V  D3  *  cont  app3  D3  D  >->  {retn  V  D}. 

Figure  8.4:  A  control-flow  analysis  derived  from  Figure  8.3 


consistent  with  making  E  x  -  which  is  now  equal  to  E{ var  (Ax.  E  x))  -  a  subterm  of  lam  (Ax.  E  x ). 
The  new  constructor  var  is  also  a  simplified  Skolem  function  for  x  that  only  mentions  the  LF  term 
E;  the  most  general  Skolem  function  in  this  setting  would  have  also  been  dependent  on  V,  D, 
and  D2.  The  existentially  generated  variable  x  was  also  the  first  argument  to  bind,  so  bind,  as  a 
relation,  will  now  associate  binding  sites  and  values  instead  of  unique  variables  and  values. 

The  discussion  above  pertains  to  the  existentially  generated  variable  x  in  rule  ev/app2,  but 
we  still  need  some  method  for  handling  destinations  d\,  d2,  and  d3  in  ev/app,  ev/appl,  and 
ev/app2  (respectively).  To  this  end,  we  need  recall  the  question  that  we  intend  to  answer  with 
control  flow  analysis:  what  values  may  a  given  subexpression  evaluate  to?  A  destination  passing 
specification  attempts  to  return  a  value  to  a  destination:  we  will  instead  return  to  an  expression 
by  equating  destinations  d  with  the  expressions  they  represent.  One  way  to  do  this  would  be  to 
introduce  a  new  constructor  d  :  exp  — >  dest,  but  we  can  equivalently  conflate  the  two  types  exp 
and  dest  to  get  the  specification  in  Figure  8.4. 

The  specification  in  Figure  8.4  has  a  point  of  redundancy  along  the  lines  of  the  redundancy 
in  our  second  PDA  approximation:  the  rules  maintain  the  invariants  that  the  two  arguments  to 
eval  e  d  are  always  the  same.  Therefore,  the  second  argument  to  eval  can  be  treated  as  vestigial; 
by  removing  that  argument,  we  get  a  specification  equivalent  to  Figure  8.5.  That  figure  includes 
another  simplifications  as  well:  instead  of  introducing  expressions  d\,  d2,  and  d:>,  by  existential 
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bind:  exp  — >  exp  ->  prop  pers . 

eval :  exp  — >  prop  pers . 

retn:  exp  ->  exp  ->  prop  pers. 

cont :  frame  ->  exp  ->  exp  ->  prop  pers . 


ev/bind : 

eval 

X  *  bind  X  V  >->  {retn  V 

X}  . 

ev/lam: 

eval 

(lam  \x.  E  x)  >->  {retn  (lam 

\x 

.  E  x)  (lam  \x 

ev/app : 

eval 

(app  El  E2)  *  E  ==  app  El 

E2 

>-> 

{eval  El  *  cont  (appl  E2) 

El 

E} 

• 

ev/appl : 

retn 

(lam  \x.  EO  x)  El  *  cont 

(appl  : 

E2 )  El  E 

>-> 

{eval  E2  *  cont  (app2  \x. 

EO 

x) 

E2  E }  . 

ev/app2 : 

retn 

V2  E2  *  cont  (app2  \x.  EO 

x) 

E2 

E 

>-> 

{Exists  x.  bind  x  V  * 

eval  (EO  x)  *  cont  app3 

(EO 

x) 

E  * 

x  ==  var  (\x.  EO  x) } . 

ev/app3 : 

retn 

V  E3  *  cont  app3  E3  E  >-> 

{ retn 

V  E}  . 

Figure  8.5:  Simplification  of  Figure  8.4  that  eliminates  the  vestigial  argument  to  eval 


quantification  just  to  equate  them  with  expressions  e\,  e2,  and  e,  we  substitute  in  the  equated 
expressions  where  the  respective  destinations  appeared  in  Figure  8.4;  this  modification  does  not 
change  anything  at  the  level  of  synthetic  inference  rules. 

Let’s  consider  the  termination  of  specification  in  Figure  8.5  interpreted  as  a  saturating  logic 
program.  Fundamentally,  the  terms  in  the  heads  of  rules  are  all  subterms  (in  the  generalized 
sense  of  Section  8.4.1),  which  is  a  sufficient  condition  for  the  termination  of  a  saturating  logic 
program.  More  specifically,  consider  that  we  start  the  database  with  a  single  fact  eval  ren,  where 
ren  has  n  subterms  by  the  analysis  in  Section  8.4.1.  We  can  only  ever  derive  n  new  facts  eval  e  - 
one  for  every  subterm.  If  we  deduced  that  every  subexpression  was  a  value  that  could  be  returned 
at  every  subexpression,  there  would  still  be  only  n2  facts  retn  e  e',  and  the  same  analysis  holds  for 
facts  of  the  form  cont  app3  e  e! .  A  fact  of  the  form  cont  (appl  e2)  e\  e  will  only  be  derived  when 
e  =  app  e\  e2,  so  there  are  at  most  n  of  these  facts.  A  fact  of  the  form  cont  (app2  Xx.  e0  x)  e2  e 
will  only  be  derived  when  e  =  app  e\  e2  for  some  e\  that  is  also  a  subterm,  so  there  are  most 
n2  of  these  facts  too.  This  means  that  we  can  derive  no  more  than  2 n  +  3 n2  facts  starting  from 
a  database  containing  eval  ren,  where  e  has  n  subterms.  We  could  give  a  much  more  precise 
analysis  than  this,  but  this  imprecise  analysis  certainly  bounds  the  size  of  the  database,  ensuring 
termination,  which  was  our  goal. 

There  is  one  important  caveat  to  the  control  flow  analysis  we  have  derived.  If  for  some  value 
v  we  consider  the  program  r((Ax.a;)  (A y.y))  vn,  we  might  expect  a  reasonable  control  flow  anal¬ 
ysis  to  notice  that  only  rXy.y~'  is  passed  to  the  function  rXx.x~]  and  that  only  v  is  passed  to 
the  function  rXy.y~l.  Because  of  our  use  of  higher-order  abstract  syntax,  however,  r Xy.tf'  and 
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rAx.xn  are  a; -equivalent  and  therefore  equal  in  the  eyes  of  the  logic  programming  interpreter. 
This  is  not  a  problem  with  correctness,  but  it  means  that  our  analysis  may  be  less  precise  than 
expected,  because  the  analysis  distinguishes  only  subterms,  not  subterm  occurrences.  One  solu¬ 
tion  would  be  to  add  distinct  labels  to  terms,  marking  the  o-cquivalcnt  Xx.x  and  A y.y  with  their 
distinct  positions  in  the  overall  term.  Adding  a  label  on  the  inside  of  every  lambda-abstraction 
would  seem  to  suffice,  and  in  any  real  example  labels  would  already  be  present  in  the  form  of 
source-code  positions  or  line  numbers.  The  alias  analysis  presented  in  the  next  section  demon¬ 
strates  the  use  of  such  labels. 

8.4.4  Correctness 

The  termination  analysis  for  the  derived  specification  in  Figure  8.5,  together  with  the  meta¬ 
approximation  theorem  (Theorem  8.4),  ensures  that  we  have  derived  some  sort  of  program  anal¬ 
ysis.  How  do  we  know  that  it  is  a  control  flow  analysis? 

The  easy  option  is  to  simply  inspect  the  analysis  and  compare  it  to  the  behavior  of  the  SSOS 
semantics  whose  behavior  the  analysis  is  approximating.  Note  that  the  third  argument  e  to 
cont/e'e  is  always  a  term  appei  e2  -  that  is,  a  call  site.  The  rule  ev/app2  starts  evaluating 
the  function  lam(Ax.e0x)  and  generates  the  fact  contapp3  (e(var(Ax.e0  x)))  e.  This  means  that, 
in  the  course  of  evaluating  some  initial  expression  eimt,  the  function  lam(Ax.eo  x)  may  be  called 
from  the  call  site  e  only  if  cont  app3  (e0(var(Ax.e0  x)))  e  appears  in  a  saturated  process  state  that 
includes  the  persistent  atomic  proposition  e\za\(einit). 

The  analysis  above  is  a  bit  informal,  however.  Following  Nielson  et  al.,  an  acceptable  control 
flow  analysis  takes  the  form  of  two  functions.  The  first,  C,  is  a  function  from  expressions  e  to 
sets  of  values  {wi, . . . ,  vn},  and  the  second,  p,  is  a  function  from  variables  x  to  sets  of  values 
{vi, . . .  ,vn}.  C  and  p  are  said  to  represent  an  acceptable  control  flow  analysis  for  the  expression 
e  if  a  coinductively  defined  judgment  (C,  p)  \—  e  holds. 

We  would  like  to  interpret  a  saturated  program  state  A  as  a  (potentially  acceptable)  control 
flow  analysis  as  follows  (keeping  in  mind  that,  given  our  current  interpretation  of  subterms, 
rx~'  =  var(Ax.  Ex)  for  some  E ): 

*  C(e)  =  {v  |  retn  rxn  ren},  and 

*  p(x)  =  {v  |  bind  rxn  ryn}. 

Directly  adapting  Nielson  et  al.’s  definition  of  an  acceptable  control  flow  analysis  from  [NNH05, 
Table  3.1]  turns  out  not  to  work.  The  control  flow  analysis  we  derived  in  Figure  8.5  is  rather 
sensitive  to  non-termination:  if  we  let  c o  =  (Ax.  x  x)  (Ax.  x  x),  then  our  derived  control  flow 
analysis  will  not  analyze  the  argument  e2  in  an  expression  u  e2,  nor  will  it  analyze  the  function 
body  e  in  an  expression  (Ax.e)  u.  Nielson  et  al.’s  definition,  on  the  other  hand,  demands  that 
both  e2  in  c o  e2  and  e  in  (Ax.e)  ui  be  analyzed.  In  Exercise  3.4,  of  their  book,  Nielson  et  al.  point 
out  that  a  modified  analysis,  which  takes  order  of  evaluation  into  account,  is  possible. 

We  can  carry  out  Nielson  et  al.’s  Exercise  3.4  to  get  the  definition  of  an  acceptable  control 
flow  analysis  given  in  Figure  8.6.  Relative  to  this  definition,  it  is  possible  to  prove  that  the 
abstractions  computed  by  the  derived  SLS  specification  in  Figure  8.5  are  acceptable  control  flow 
analyses. 
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[var\ 

[lam] 

[app] 

(C,  p)  |=  ei  A 
(V(Ax.e0)  G  C(ei)  : 

(C,  p)  |=  e2  A 
(C(e2)  C  p(x))  A 
(VO)  G  C(e2)  : 

(C,p)  0  eo  A 
(C(e0)  C  C(eie2)))) 


(C,  jo)  |=  x  iff  p(x)  C  C(x) 

(C,  jo)  |=  Ax.e  iff  {(Ax.e)}  C  C(Ax.e) 
(C,  p)  0  ei  e2  iff 


Figure  8.6:  Coinductive  definition  of  an  acceptable  control  flow  analysis 

Theorem  8.5.  If  A  is  a  saturated  process  state  that  is  well-formed  according  to  the  signature 
in  Figure  8.5,  and  if  C  and  jo  are  defined  in  terms  of  A  as  described  above,  then  eval  ren  G  A 
implies  that  (C,  jo)  \=  e. 

Proof  By  coinduction  on  the  definition  of  acceptability  in  Figure  8.6,  and  case  analysis  on  the 
form  of  e. 

-  e  =  x,  so  r e?  =  rx~l  =  var(Ax.  E0  x) 

We  have  to  show  p(x)  C  C(x).  In  other  words,  if  bind  rxn  run  G  A,  then  retn  rvn  rx~]  G 
A.  Because  eval  ren  G  A,  this  follows  by  the  presence  of  rule  ev/bind  -  if  eval  ren  G  A 
and  bind  rxn  rnn  G  A,  then  retn  rvn  rxn  G  A  as  well;  if  it  were  not,  the  process  state 
would  not  be  saturated! 

-  e  =  Xx.e,  so  ren  =  rAz.e0n  =  lam(Ax.  E0  x) 

We  have  to  show  {(Ax.e)}  C  C(Ax.e).  In  other  words,  retn  rAx.en  rAx.en  G  A.  This 
follows  by  rule  ev/lam  by  the  same  reasoning  given  above. 

-  e  =  ei  e2,  so  ren  =  r e\  e2n  =  app  Ei  E2 

We  have  to  show  several  things.  The  first,  that  (C,  jo)  |=  e\,  follows  from  the  coinduction 
hypothesis  -  by  rule  ev/app,  evalrein  G  A.  That  rule  also  allows  us  to  conclude  that 
cont  appl  re2n  rein  re\  e2n  G  A. 

Second,  given  a  (Ax.e0)  G  C(ei)  (meaning  retn  rAx.e0n  rein  G  A)  we  have  to  show  that 
(C ,  jo)  |=  e2.  This  follows  from  the  coinduction  hypothesis:  by  rule  ev/appl,  because 
retn  rAx.eon  rein  G  A  and  cont  (appl  re2n)  rein  r e\  e2n  G  A,  eval  re2n  G  A.  This  same 
reasoning  allows  us  to  conclude  that  cont  (app2  (Ax.  re0n))  re2n  re\  e2n  G  A  given  that 

(Ax.e0)  G  C(ei). 
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Third,  given  a  (Ax.e0)  G  C(ei),  we  have  to  show  that  (C(e2)  C  p(x)):  in  other  words, 
that  retn  rt>2n  re2n  G  A  implies  bind  (var(Ax.  reon))  rt>2n  G  A.  Because  we  know  by 
the  reasoning  above  that  cont  (app2  (Ax.  re0n))  re2n  re\  e2n  G  A,  this  follows  by  rule 
ev/app2. 

The  same  reasoning  from  ev/app2  allows  us  to  conclude  that  both  (Ax.e0)  G  C(ei)  and 
retn  rv2~]  re2n  G  A  together  imply  evalre0n  G  A  (and  therefore  that  (C ,p)  \—  e0  by 
the  coinduction  hypothesis,  the  fourth  thing  we  needed  to  prove)  in  addition  to  implying 
contapp3reonreie2n  G  A  (which  with  ev/app3  implies  C(e0)  C  C(eie2),  the  last  thing 
we  needed  to  prove). 

This  completes  the  proof.  □ 

We  claim  that,  if  we  had  started  with  an  analysis  that  incorporated  both  parallel  evaluation 
of  functions  and  arguments  (in  the  style  of  Figure  7.6  from  Section  7.2.1)  and  the  call-by-future 
functions  discussed  in  Figure  7.9  from  Section  7.2.3,  then  the  derived  analysis  would  have  sat¬ 
isfied  a  faithful  representation  of  Nielson  et  al.’s  acceptability  relation.  The  proof,  in  this  case, 
should  proceed  along  the  same  lines  as  the  proof  of  Theorem  8.5. 


8.5  Alias  analysis 

The  control  flow  analysis  above  was  derived  from  the  SSOS  specification  of  a  language  that 
looked  much  like  the  Mini-ML-like  languages  considered  in  Chapters  6  and  7,  and  we  described 
how  to  justify  such  an  analysis  in  terms  of  coinductive  specifications  of  what  comprises  a  well- 
designed  control  flow  analysis. 

In  this  section,  we  work  in  the  other  direction:  the  starting  point  for  this  specification  was 
the  interprocedural  object-oriented  alias  analysis  presented  as  a  saturating  logic  program  in 
[ALSU07,  Chapter  12.4].  We  then  worked  backwards  to  get  a  SSOS  semantics  that  allowed 
us  to  derive  Aho  et  al.’s  logic  program  as  closely  as  possible.  The  result  is  a  monadic  SSOS 
semantics.  There  should  not  be  any  obstacle  to  deriving  an  alias  analysis  from  a  semantics  that 
looks  more  like  the  specifications  elsewhere  in  this  dissertation. 

8.5.1  Monadic  language 

The  language  we  consider  differentiates  atomic  actions,  which  we  will  call  expressions  (and 
encode  in  the  LF  type  exp)  and  procedures  or  commands  (which  we  encode  in  the  LF  type 
cmd).  There  are  only  two  commands  m  in  our  monadic  language.  The  first  command,  ret  x,  is  a 
command  that  returns  the  value  bound  to  the  variable  x  (rule  ev/ret  in  Figure  8.7).  The  second 
command,  rbnd/  x  <—  ei n  mn  =  bnd  Z  ren  Ax.rmn,  evaluates  e  to  a  value,  binds  that  value  to  the 
variable  x,  and  then  evaluates  m.  Note  the  presence  of  l  in  the  bind  syntax;  we  will  call  it  a  label, 
and  we  can  think  of  it  as  a  line  number  or  source-code  position  from  the  original  program. 

In  the  previous  languages  we  have  considered,  values  v  were  a  syntactic  refinement  of  the 
expressions  e.  In  contrast,  our  monadic  language  will  differentiate  the  two:  there  are  five  ex¬ 
pression  forms  and  three  values  that  we  will  consider.  An  expression  rA.x./n,on  =  fun  Ax.rmon 
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bind:  variable  ->  value  ->  prop  pers . 

eval :  cmd  ->  dest  ->  prop  lin. 

retn:  value  ->  dest  ->  prop  lin. 

cont :  frame  ->  dest  ->  dest  ->  prop  lin. 

ev/ret:  eval  (ret  X)  D  *  !bind  X  V  >->  {retn  V  D}. 

ev/fun:  eval  (bnd  L  (fun  \x.  MO  x)  (\x.  M  x) )  D 

>->  {Exists  y.  eval  (My)  D  *  !bind  y  (lam  L  \x.  MO  x) 

ev/call:  eval  (bnd  L  (call  F  X)  (\x.  M  x) )  D  * 

!bind  F  (lam  LO  (\x.  MO  x) )  * 

!bind  X  V 

>->  {Exists  dO .  Exists  y. 

eval  (MO  y)  dO  *  cont  (calll  L  (\x.  M  x) )  dO  D  * 

! bind  y  V} . 

ev/calll:  retn  V  DO  *  cont  (calll  L  (\x.  M  x) )  DO  D 
>->  {Exists  y.  eval  (My)  D  *  !bind  y  V}. 

Figure  8.7:  Semantics  of  functions  in  the  simple  monadic  language 


evaluates  to  a  value  rA/x.m0n  =  lam  /  Xx.rm0~[,  where  the  label  l  represents  the  source  code 
position  where  the  function  was  bound.  (A  function  value  is  a  command  m0  with  one  free  vari¬ 
able.)  When  we  evaluate  the  command  rbnd;  y  i—  A x.m0  in  mn,  the  value  rA lx.m0~1  gets  bound 
to  y  in  the  body  of  the  command  m  (rule  ev/fun  in  Figure  8.7). 

The  second  expression  form  is  a  function  call:  r  f  xn  =  app  /  x.  To  evaluate  a  function 
call,  we  expect  a  function  value  to  be  bound  to  the  variable  /;  we  then  store  the  rest  of  the 
current  command  on  the  stack  and  evaluate  the  command  m0  to  a  value.  Note  that  the  rule 
ev/call  in  Figure  8.7  also  stores  the  call  site’s  source-code  location  l  on  the  stack  frame.  The 
reason  for  storing  a  label  here  is  that  we  need  it  for  the  alias  analysis.  However,  it  is  possible 
to  independently  motivate  adding  these  source-code  positions  to  the  operational  semantics:  for 
instance,  it  would  allow  us  to  model  the  process  of  giving  a  stack  trace  when  an  exception  is 
raised.  When  the  function  we  have  called  returns  (rule  ev/calll  in  Figure  8.7),  we  continue 
evaluating  the  command  that  was  stored  on  the  control  stack. 

The  rules  for  mutable  pairs  are  given  in  Figure  8.8.  Evaluating  the  expression  newpair  allo¬ 
cates  a  tuple  with  two  fields  fst  and  snd  and  yields  a  value  loc  l  referring  to  the  tuple;  both  fields 
in  the  tuple  are  initialized  to  the  value  null,  and  each  field  is  represented  by  a  separate  linear  cell 
resource  (rule  ev/new).  The  expressions  rx.fstn  =  projxfst  and  rx.sndn  =  projxsnd  expect  a 
pair  location  to  be  bound  to  x,  and  yield  the  value  stored  in  the  appropriate  field  of  the  mutable 
pair  (rule  ev/proj).  The  expressions  rx.fst  :=  y'1  =  set  x  fst  y  and  rx.snd  :=  r/n  =  set  x  snd  y 
work  much  the  same  way.  The  difference  is  that  the  former  expressions  do  not  change  the  ac¬ 
cessed  field’s  contents,  whereas  the  latter  expressions  replace  the  accessed  field’s  contents  with 
the  value  bound  to  y  (rule  ev/set). 

This  language  specification  bears  some  similarity  to  Harper’s  Modernized  Algol  with  free 
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cell:  locvar  ->  field  ->  value  ->  prop  lin. 


ev/new:  eval  (bnd  L  newpair  (\x.  M  x) )  D 

>->  {Exists  y.  Exists  1' .  eval  (My)  D  * 

cell  1'  fst  null  *  cell  1'  snd  null  * 

! bind  y  ( loc  1 ' ) } . 

ev/pro j :  eval  (bnd  L  (proj  X  Fid)  (\x.  M  x) )  D  * 

! bind  X  ( loc  1/  )  * 
cell  L'  Fid  V 

>->  {Exists  y.  eval  (My)  D  *  cell  L'  Fid  V  * 
! bind  y  V} . 


ev/set:  eval  (bnd  L  (set  X  Fid  Y)  (\x.  M  x) )  D  * 

!bind  X  (loc  1/  )  * 

!bind  Y  V  * 
cell  L'  Fid  V' 

>->  {Exists  y.  eval  (My)  D  * 
cell  L'  Fid  V  * 

! bind  y  V' } . 


Figure  8.8:  Semantics  of  mutable  pairs  in  the  simple  monadic  language 


assignables  [Harl2,  Chapter  36].  The  free  assignables  addendum  is  critical:  SSOS  specifications 
do  not  have  a  mechanism  for  enforcing  the  stack  discipline  of  Algol-like  languages.3 

8.5.2  Approximation  and  alias  analysis 

To  approximate  the  semantics  of  our  monadic  language,  we  can  follow  the  methodology  from 
before  and  turn  the  specification  persistent.  A  further  approximation  is  to  remove  the  last  premise 
from  ev/set,  as  the  meta-approximation  theorem  allows  -  the  only  purpose  of  this  premise  in 
Figure  8.8  was  to  consume  the  ephemeral  proposition  cell  l’  fid  v,  and  this  is  unnecessary  if  cell 
is  not  an  ephemeral  predicate.  Having  made  these  two  moves  (turning  all  propositions  persistent, 
and  removing  a  premise  from  ev/set),  we  are  left  with  three  types  of  existentially-generated 
variables  that  must  be  equated  with  concrete  terms  in  order  for  our  semantics  to  be  interpreted  as 
a  saturating  logic  program: 

*  Variables  y ,  introduced  by  every  rule  except  for  ev/ret, 

*  Mutable  locations  l,  introduced  by  rule  ev/new,  and 

*  Destinations  d\  the  only  place  where  a  destination  is  created  by  the  destination-adding 
transformation  is  in  rule  ev/call. 

3It  is,  however,  possible  to  represent  Algol-like  languages  that  maintain  a  stack  discipline  even  though  the  ma¬ 
chinery  of  SLS  does  not  enforce  that  stack  discipline.  This  is  analogous  to  the  situation  with  pointer  equality 
discussed  in  Section  6.5.1,  as  a  stack  discipline  is  an  invariant  that  can  be  maintained  in  SLS  even  though  the 
framework’s  proof  theory  does  not  enforce  the  invariant. 
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bind:  label  ->  value  ->  prop  pers. 

eval :  cmd  ->  label  ->  prop  pers . 

retn:  value  ->  label  ->  prop  pers. 

cont :  frame  ->  label  ->  label  ->  prop  pers. 

cell:  label  ->  field  ->  value  ->  prop  pers. 

ev/ret:  eval  (ret  X)  D  *  bind  X  V  >->  {retn  V  D}. 

ev/fun:  eval  (bnd  L  (fun  \x.  MO  x)  (\x.  M  x) )  D 

>->  {eval  (ML)  D  *  bind  L  (lam  L  \x.  MO  x) } . 

ev/call:  eval  (bnd  L  (call  F  X)  (\x.  M  x) )  D  * 

bind  F  (lam  LO  \x.  MO  x)  * 
bind  X  V 

>->  {eval  (MO  LO)  LO  *  cont  (calll  L  (\x.  M  x) )  LO  D}. 

ev/calll:  retn  V  DO  *  cont  (calll  L  (\x.  M  x) )  DO  D 
>->  {eval  (ML)  D  *  bind  L  V}. 

ev/new:  eval  (bnd  L  newpair  (\x.  M  x) )  D 

>->  {eval  (ML)  D  * 

cell  L  fst  null  *  cell  L  snd  null  * 
bind  L  (loc  L) } . 

ev/pro j :  eval  (bnd  L  (proj  X  Fid)  (\x.  M  x) )  D  * 
bind  X  (loc  L' )  * 
cell  L'  Fid  V 

>->  {eval  (ML)  D  *  cell  L'  Fid  V  * 
bind  L  V} . 

ev/set :  eval  (bnd  L  (set  X  Fid  Y)  (\x.  M  x) )  D  * 

bind  X  (loc  L' )  * 
bind  Y  V 

>->  {eval  (ML)  D  *  cell  L'  Fid  V  * 
bind  L  V' } . 

Figure  8.9:  Alias  analysis  for  the  simple  monadic  language 
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Variables  y  are  generated  to  be  substituted  into  the  body  of  some  command,  so  we  could 
equate  them  with  the  Skolemized  function  body  as  we  did  when  deriving  a  control  flow  analysis 
example.  Another  option  comes  from  noting  that,  for  any  initial  source  program,  every  command 
is  associated  with  a  particular  source  code  location,  so  a  simpler  alternative  is  just  to  equate  the 
variable  with  that  source  code  location.  This  is  why  we  stored  labels  on  the  stack:  if  we  had  not 
done  so,  then  the  label  l  associated  with  m  in  the  command  rbnd/  x  <—  X x.m0  in  mn  would  no 
longer  be  available  when  we  needed  it  in  rule  ev/calll. 

We  deal  with  mutable  locations  l  in  a  similar  manner:  we  equate  them  with  the  label  /  repre¬ 
senting  the  line  where  that  cell  was  generated. 

There  are  multiple  ways  to  deal  with  the  destination  d{]  generated  in  rule  ev/call.  We  want 
our  analysis,  like  Aho  et  al.’s,  to  be  insensitive  to  control  flow,  so  we  will  equate  d0  with  the  label 
lo  associated  with  the  function  we  are  calling.  If  we  instead  equated  d0  with  the  label  l  associated 
with  the  call-site  or  with  the  pair  of  the  call  site  and  the  called  function,  the  result  would  be  an 
analysis  that  is  more  sensitive  to  control  flow. 

The  choices  described  above  are  reflected  in  Figure  8.9,  which  takes  the  additional  step  of 
inlining  uses  of  equality  in  the  conclusions  of  rules.  We  can  invoke  this  specification  as  a  program 
analysis  by  packaging  a  program  as  a  single  command  m  and  deriving  a  saturated  process  state 
from  the  initial  process  state  (linit\\oc;  x:  (eval  rm~l  linit )).  The  use  of  source-code  position  labels 
makes  the  answers  to  some  of  the  primary  questions  asked  of  an  alias  analysis  quite  concise.  For 
instance: 

*  Might  the  first  component  of  a  pair  created  at  label  l\  ever  reference  a  pair  created  at 
label  I2?  Only  if  cell  l\  fst  (loc/2)  appears  in  the  saturated  process  state  (and  likewise  for 
the  second  component). 

*  Might  the  first  component  of  a  pair  created  at  label  l±  ever  reference  the  same  object 
as  the  first  component  of  a  pair  created  at  label  I2?  Only  if  there  is  some  l'  such  that 
cell  l\  fst  (loc  l')  and  cell  l\  fst  (loc  V)  both  appear  in  the  saturated  process  state. 

8.6  Related  work 

The  technical  aspects  of  linear  logical  approximation  are  similar  to  work  done  by  Bozzano  et 
al.  [BDM02,  BDM04],  which  was  also  based  on  the  abstract  interpretation  of  a  logical  spec¬ 
ification  in  linear  logic.  They  encode  distributed  systems  and  communication  protocols  in  a 
framework  that  is  similar  to  the  linear  fragment  of  SLS  without  equality.  Abstractions  of  those 
programs  are  then  used  to  verify  properties  of  concurrent  protocols  that  were  encoded  in  the  logic 
[BD02], 

There  are  a  number  of  significant  difference  between  our  work  and  Bozzano  et  al.’s,  how¬ 
ever.  The  style  they  use  to  encode  protocols  is  significantly  different  from  any  of  the  SSOS 
specification  styles  presented  in  this  dissertation.  They  used  a  general  purpose  approximation, 
which  could  therefore  potentially  be  mechanized  in  the  same  way  we  mechanized  transforma¬ 
tions  like  operationalization;  in  contrast,  the  meta-approximation  result  described  here  captures 
a  whole  class  of  approximations.  Furthermore,  Bozzano  et  al.’s  methods  are  designed  to  consider 
properties  of  a  system  as  a  whole,  not  static  analyses  of  individual  inputs  as  is  the  case  in  our 
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work. 

Work  by  Might  and  Van  Horn  on  abstracting  abstract  machines  can  be  seen  as  a  parallel  ap¬ 
proach  to  our  methodology  in  a  very  different  setting  [MSV10,  MiglO,  VM10].  Their  emphasis 
is  on  deriving  a  program  approximation  by  approximating  a  functional  abstract  interpreter  for  a 
programming  language’s  operational  semantics.  Their  methodology  is  similar  to  ours  in  large 
part  because  we  are  doing  the  same  thing  in  a  different  setting,  deriving  a  program  approxima¬ 
tion  by  approximating  a  destination-passing  SSOS  specification  (which  we  could,  in  turn,  have 
derived  from  an  ordered  abstract  machine  by  destination-adding). 

Many  of  the  steps  that  they  suggest  for  approximating  programs  have  close  analogues  in  our 
setting.  For  instance,  their  store-allocated  bindings  are  analogous  to  the  SSOS  environment  se¬ 
mantics,  and  their  store-allocated  continuations  -  which  they  motivate  by  analogy  to  implemen¬ 
tation  techniques  for  functional  languages  like  SML/NJ  -  are  precisely  the  destinations  that  arise 
naturally  from  the  destination-adding  transformation.  The  first  approximation  step  we  take  is  for¬ 
getting  about  linearity  in  order  to  obtain  a  (non-terminating)  persistent  logical  specification.  This 
step  is  comparable  to  Might’s  first  approximation  step  of  “throwing  hats  on  everything”  (named 
after  the  convention  in  abstract  interpretation  of  denoting  the  abstract  version  of  a  state  space  £ 
as  £.  The  “mysterious”  introduction  of  power  domains  that  this  entails  is,  in  our  setting,  a  per¬ 
fectly  natural  result  of  relaxing  the  requirement  that  there  be  at  most  one  persistent  proposition 
bind  x  v  for  every  x.  As  a  final  point  of  comparison,  the  “abstract  allocation  strategy”  discussed 
in  [VM10]  is  quite  similar  to  our  strategy  of  introducing  and  then  approximating  Skolem  func¬ 
tions  as  a  means  of  deriving  a  finite  approximation.  Our  current  discussion  of  Skolem  functions 
in  Section  8.4  is  partially  inspired  by  the  relationship  between  our  use  of  Skolemization  and  the 
discussion  of  abstract  allocation  in  [VM10]. 

The  independent  discovery  of  a  similar  set  of  techniques  for  achieving  similar  goals  in  such 
different  settings  (though  both  approaches  were  to  some  degree  inspired  by  Van  Horn  and  Mair- 
son’s  investigations  of  the  complexity  of  fc-CFA  [VM07])  is  another  indication  of  the  generality 
of  both  techniques,  and  the  similarity  also  suggests  that  the  wide  variety  of  approximations  con¬ 
sidered  in  [VM10],  as  well  as  the  approximations  of  object-oriented  programming  languages  in 
[MiglO],  can  be  adapted  to  this  setting. 
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Part  III 

Reasoning  about  substructural  logical 

specifications 


233 


Chapter  9 

Generative  invariants 


So  far,  we  have  presented  SLS  as  a  framework  for  presenting  transition  systems.  This  view  fo¬ 
cuses  on  synthetic  transitions  as  a  way  of  relating  pairs  of  process  states,  either  with  one  transition 
('k;  A)  ^  (\k';  A')  or  with  a  series  of  transitions  (\k;  A)  (\k';  A').  This  chapter  will  focus  on 
another  view  of  concurrent  SLS  specifications  as  grammars  for  describing  well-formed  process 
states.  This  view  was  presented  previously  in  the  discussions  of  adequacy  in  Section  4.4.1  and 
in  Section  6.3. 

The  grammar-like  specifications  that  describe  well-formed  process  states  are  called  genera¬ 
tive  signatures ,  and  generative  signatures  can  be  used  to  specify  sets  of  process  states,  or  worlds. 
By  the  analogy  with  grammars,  we  could  also  describe  worlds  as  languages  of  process  states 
recognized  by  the  grammar.  In  our  previous  discussions  of  adequacy  in  Section  4.4.1  and  in 
Section  6.3,  the  relevant  world  was  a  set  of  process  states  that  we  could  put  in  bijective  corre¬ 
spondence  with  the  states  of  an  abstract  machine. 

Generative  signatures  are  a  significant  extension  of  context-free  grammars,  both  because  of 
the  presence  of  dependent  types  and  because  of  the  presence  of  linear  and  persistent  resources 
in  SLS.  However,  we  will  not  endeavor  to  study  generative  signatures  in  their  own  right  in  this 
chapter  or  this  dissertation.  Rather,  we  will  use  generative  signatures  for  one  very  specific  pur¬ 
pose:  showing  that,  under  some  generative  signature  £  Cen  that  defines  a  world  W,  whenever 
('k;  A)  G  W  and  (\k;  A)  (4k;  A')  it  is  always  the  case  that  (4k;  A')  G  W.  (The  signa¬ 
ture  £  encodes  the  transition  system  we  are  studying.)  In  such  a  case,  a  world  or  language  of 
well-formed  process  states  is  called  a  generative  invariant  of  £. 


Type  preservation 

Narrowing  our  focus  even  further,  in  this  chapter  our  sole  use  of  generative  invariants  will  be  de¬ 
scribing  well-formedness  and  well-typedness  invariants  of  the  sorts  of  substructural  operational 
semantics  specifications  presented  in  Part  II.  When  we  want  to  prove  language  safety  for  a  small- 
step  SOS  specification  like  eGe'  from  Section  6.6.2  and  the  beginning  of  Chapter  6,  we  define 
a  judgment  x\.tpi , . . . ,  xn:tpn  h  e  :  tp.  This  typing  judgment  expresses  that  e  has  type  tp  if  the 
expression  variables  xi,...,xn  are  respectively  assumed  to  have  the  types  t/pi .... .  tpn.  (Note 
that  tp  is  an  object-level  type  as  described  in  Section  9.3,  not  an  LF  type  r  from  Chapter  4.) 

Well-typedness  invariants  are  important  because  they  allow  us  to  prove  language  safety ,  the 
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property  (discussed  way  back  in  the  introduction)  that  a  language  specification  is  completely  free 
from  undefined  behavior.  The  standard  “safety  =  progress  +  preservation”  formulation  of  type 
safety  is  primarily  a  statement  about  invariants.  We  specify  some  property  (“well-typed  with  type 
tp ”),  show  that  it  is  invariant  under  execution  (preservation:  “if  e  e'  and  e  has  type  tp,  then  e! 
has  type  tp”),  and  show  that  any  state  with  that  property  has  well-defined  behavior  (progress:  “if 
e  has  type  tp,  it  steps  or  is  a  value”). 

The  purpose  of  this  chapter  is  to  demonstrate  that  generative  invariants  are  a  solid  methodol¬ 
ogy  for  describing  invariants  of  SLS  specifications,  especially  well-formedness  and  -typedness 
invariants  of  substructural  operational  semantics  specifications  like  the  ones  presented  in  Part  II. 
As  we  have  already  seen,  well-formedness  invariants  are  major  part  of  adequacy  theorems.  In 
the  next  chapter,  we  will  show  that  well-typedness  invariants  are  sufficient  for  proving  progress 
theorems,  meaning  that  generative  invariants  can  form  the  basis  of  progress-and-preservation- 
style  safety  theorems  for  programming  languages  specified  in  SLS.  These  two  chapters  support 
the  third  refinement  of  our  central  thesis: 

Thesis  (Part  III):  The  SLS  specification  of  the  operational  semantics  of  a  program¬ 
ming  language  is  a  suitable  basis  for  formal  reasoning  about  properties  of  the  spec¬ 
ified  language. 

Overview 

In  Section  9.1  we  review  how  generative  signatures  define  a  world  and  show  how  the  regular 
worlds  that  Schiirmann  implemented  in  Twelf  [SchOO]  fall  out  as  a  special  case  of  the  worlds 
described  by  generative  signatures.  After  this,  the  core  of  this  chapter  plays  the  same  game  - 
describing  a  well-formedness  or  well-typedness  property  with  a  generative  signature  and  proving 
that  the  property  is  a  generative  invariant  -  five  times.  In  each  step,  we  motivate  and  explain  new 
concepts. 

*  In  Section  9.2  we  extend  the  well-formedness  invariant  for  sequential  ordered  abstract 
machines  described  in  Section  6.3  to  parallel  ordered  abstract  machines  with  failure,  setting 
up  the  basic  pattern. 

*  In  Section  9.3  we  switch  from  specifying  well- formed  process  states  to  specifying  well- 
typed  process  states.  This  is  not  a  large  technical  shift,  but  conceptually  it  is  an  important 
step  from  thinking  about  adequacy  properties  to  thinking  about  preservation  theorems. 

*  In  Section  9.4  we  describe  how  generative  invariants  can  be  established  for  the  sorts  of 
stateful  signatures  considered  in  Section  6.5.  This  specification  introduces  the  promise- 
then-fulfill  pattern  and  also  requires  us  to  consider  unique  index  properties  of  specifications 
(Section  9.4.2). 

*  In  Section  9.5  we  consider  invariants  for  specifications  in  the  image  of  the  destination¬ 
adding  transformation  from  Chapter  7.  This  formalization,  which  is  in  essence  a  SLS  en¬ 
coding  of  Cervesato  and  Sans’s  type  system  from  [CS13],  also  motivates  the  introduction 
of  unique  index  sets  to  state  unique  index  properties  more  concisely. 

*  In  Section  9.6  we  consider  the  peculiar  case  of  first-class  continuations,  which  require  us 
to  use  persistent  continuation  frames  as  described  in  Section  7.2.4.  Despite  the  superficial 
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similarities  between  the  SSOS  semantics  for  first-class  continuations  and  the  other  SSOS 
semantics  considered  in  this  dissertation,  first-class  continuations  fundamentally  change 
the  control  structure,  and  this  is  reflected  in  a  fundamental  change  to  the  necessary  gener¬ 
ative  invariants. 

We  conclude  in  Section  9.7  with  a  brief  discussion  of  the  mechanization  of  generative  invariants, 
though  this  is  primarily  left  for  future  work.  In  general,  this  chapter  aims  to  be  the  first  word  in 
the  use  of  generative  invariants,  but  it  is  by  no  means  the  last. 


9.1  Worlds 

Worlds  are  nothing  more  or  less  than  sets  of  stable  process  states  ('k;  A)  as  summarized  in  Ap¬ 
pendix  A.  In  this  chapter,  we  will  specify  worlds  with  the  combination  of  two  artifacts:  an  initial 
process  state  and  a  generative  signature. 

Definition  9.1.  A  generative  signature  is  a  SLS  signature  where  the  ordered,  mobile,  and  per¬ 
sistent  atomic  propositions  can  be  separated  into  two  sets  -  the  terminals  and  the  nonterminals. 
Synthetic  transitions  enabled  by  a  generative  signature  only  consume  (or  reference)  nontermi¬ 
nals  and  LF  terms,  but  their  output  variables  can  include  LF  variables,  variables  associated  with 
terminals,  and  variables  associated  with  nonterminals. 

The  use  of  terminal/nonterminal  terminology  favors  the  view  of  generative  signatures  as  context- 
free  grammars,  an  analogy  that  holds  well  for  ordered  nonterminals.  Mobile  nonterminals  behave 
more  like  obligations  when  we  use  them  as  part  of  the  promise-then-fulfill  pattern  (Section  9.4 
and  beyond),  and  persistent  nonterminals  behave  more  like  constraints. 

A  generative  signature,  together  with  an  initial  state  (vk0;  A0),  describes  a  world  with  the 
help  of  the  restriction  operator  ('k;  A)^  introduced  in  Section  4.4.2.  To  recap,  if  ('k;  A)  is 
well-defined  under  the  generative  signature  T,Gen,  and  £  is  any  signature  that  includes  all  of 
the  generative  signature’s  terminals  and  all  of  its  LF  declarations  but  none  of  its  nonterminals, 
then  ('k;  A)^  is  only  defined  when  the  only  remaining  nonterminals  in  A  are  persistent  and  can 
therefore  be  filtered  out  of  A.  When  the  classification  of  terminals  and  nonterminals  is  clear,  we 
will  leave  off  the  restricting  signature  and  just  write  ( \k :  A)A 

As  a  concrete  example,  let  nt/foo  be  a  persistent  nonterminal,  let  nt/ ba r  be  an  ordered  nonter¬ 
minal,  and  let  t/baz  be  an  ordered  terminal.  Then  (tc:(nt/bar)  ord,y:( t/baz)  ord)i  is  not  defined, 
(y:  (t/baz)  ord)1?  =  (y:  (t/baz)  ord),  and  (x:  (nt/foo)  pers,  y:  (t/baz)  ord)1?  =  (y:  (t/baz)  ord). 
Recalling  the  two-dimensional  notation  from  Chapter  4,  we  can  re-present  these  three  statements 
as  follows: 

(x:(nt/bar)  ord,  y:  (t/baz)  ord )  (y:  (t/baz)  ord )  (x:(nt/foo)  pers,  y:  (t/baz)  ord ) 

////////////////////////////  /////////////  //////////////////////////// 

(y:  (t/baz)  ord)  (y: (t/baz)  ord) 

Definition  9.1  is  intentionally  quite  broad  -  it  need  not  even  be  decidable  whether  a  pro¬ 
cess  state  belongs  to  a  particular  world.1  Future  tractable  analyses  will  therefore  presumably  be 

'Proof:  consider  the  initial  state  (2: (gen)  ord)  and  the  rule  Ve.Vv.gen  •  !(evev)  >— >  {terminating  e}.  The 
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based  upon  further  restrictions  of  the  very  general  Definition  9.1.  Context-free  grammars  are 
one  obvious  specialization  of  generative  signatures;  we  used  this  correspondence  as  an  intuitive 
guide  in  Section  4.4.1.  Perhaps  less  obviously,  the  regular  worlds  of  Twelf  [SchOO]  are  another 
specialization  of  generative  signatures. 

9.1.1  Regular  worlds 

The  regular  worlds  used  in  Twelf  [SchOO]  are  specified  with  sets  of  blocks.  A  block  describes  a 
little  piece  of  an  LF  context,  and  is  declared  in  the  LF  signature  as  follows: 

blockname  :  some  {ai:ri}  . . .  {an:rn}  block  {bi.r[}  . . . 

A  block  declaration  is  well  formed  in  the  signature  £  if,  by  the  definition  of  well-formed  signa¬ 
tures  from  Figure  4.3,  •  hs  ai'.Ti, . . . ,  an:rn  ctx  and  a^-Ti, . . . ,  a?;_i  :rn  hs  b\.r[, . . . ,  bm\T'm  ctx. 

The  first  list  of  LF  variable  bindings  {a1:T1}  . . .  {an:rn}  that  come  after  the  some  keyword 
describe  the  types  of  concrete  LF  terms  that  must  exist  for  the  block  to  be  well  formed.  The 
second  list  of  LF  variable  bindings  represents  the  bindings  that  the  block  actually  adds  to  the 
LF  context.  The  regular  worlds  of  Twelf  are  specified  with  sets  of  block  identifiers  (blockl  | 

. . .  |  blockn).  A  set  S  of  block  identifiers  and  a  Twelf  signature  £  inductively  define  a  world  as 
follows:  the  empty  context  belongs  to  every  regular  world,  and  if 

*  T  is  a  well-formed  LF  context  in  the  current  world, 

*  blockname  :  some  {ai.Ti}  . . .  {an:Tn}  block  {b\.r[}  . . .  { bm:T, G  £  is  one  of  the  blocks 
in  S,  and 

*  there  is  a  o  such  that  'F  hs  o  :  ai:ri, . . . ,  an:rn, 

then  'F.  b\ :ar[, . . . ,  : a r'ri  is  also  a  well-formed  LF  context  in  the  current  world.  The  closed 
world ,  which  contains  only  the  empty  context,  is  specified  by  the  empty  set  of  block  identifiers. 

One  simple  example  of  a  regular  world  (previously  discussed  in  Section  4.4.1)  is  one  that 
contains  all  contexts  with  just  expression  variables  of  LF  type  exp.  This  world  can  be  described 
with  the  block  blockexp: 

blockexp  :  some  block  {x:exp} 

If  we  had  a  judgment  natvar  xn  that  associated  every  LF  variable  ,x:exp  with  some  natural  num¬ 
ber  n:nat,  then  in  order  to  make  sure  that  every  expression  variable  was  associated  with  some 
natural  number  we  would  use  the  world  described  by  this  block: 

blocknatvar  :  some  {n:nat}  block  {x:exp}  {nx:natvarxn} 

The  world  described  by  the  combination  of  blockexp  and  blocknatvar  is  one  where  every  LF 
variable  x:exp  is  associated  with  at  most  one  LF  variable  of  type  natvar  x  n.  Assuming  that  there 
are  no  constants  of  type  natvar,2  this  gives  us  a  uniqueness  property:  if  natvar  x  n  and  natvar  x  m, 
then  m  =  n. 

predicate  gen  is  a  nonterminal,  the  predicate  terminating  is  a  terminal,  and  ev  is  the  encoding  of  big-step  evaluation 
e  fl  v  from  Figure  6. 1 .  The  language  described  is  isomorphic  to  the  set  of  A-calculus  expressions  that  terminate 
under  a  call-by-value  strategy,  and  membership  in  that  set  is  undecidable. 

2This  is  a  property  we  can  easily  enforce  with  subordination,  which  was  introduced  in  Section  4.1.3. 
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9.1.2  Regular  worlds  from  generative  signatures 

A  block  declaration  blockname  :  some  {apri}  . . .  {an:rn}  block  {bi.r[}  . . .  {brn;.T'm}  can  be  de¬ 
scribed  by  one  rule  in  a  generative  signature: 

blockname  :  Vapri . . .  Van:rn.  {3b\\r[ . . .  bm:T'm.  1} 

Because  a  regular  world  is  just  a  set  of  blocks,  the  generative  signature  corresponding  to  a  regular 
world  contains  one  rule  for  each  block  in  the  regular  worlds  description.  The  world  described  by 
(blockexp  |  blockvar)  corresponds  to  the  following  generative  signature: 

nat  :  type, 

. . .  declare  constants  of  type  nat . . . 
exp  :  type, 

. . .  declare  constants  of  type  exp  . . . 
blockexp  :  {3:r:exp.  1}, 

blocknatvar  :  Vn:nat.  {3x:exp.  3ra;:natvar:r  n.  1} 

Call  this  regular  world  signature  S RW.  It  is  an  extremely  simple  example  of  a  generative  signa¬ 
ture  -  there  are  no  terminals  and  no  nonterminals  -  so  the  restriction  operator  has  no  effect.  The 
world  described  by  (blockexp  |  blocknatvar)  is  identical  to  the  set  of  LF  contexts  T'  such  that 

(•;  •)  ('I';  •)• 

9.1.3  Regular  worlds  in  substructural  specifications 

It  is  a  simple  generalization  to  replace  the  proposition  1  in  the  head  of  the  generative  block* 
rules  above  with  less  trivial  positive  SLS  propositions.  In  this  way,  we  can  extend  the  language 
of  regular  worlds  to  allow  the  introduction  of  ordered,  mobile,  and  persistent  SLS  propositions  as 
well.  For  instance,  the  rule  blockitem  :  Vn.  {item  n},  where  item  is  a  mobile  predicate,  describes 
the  world  of  contexts  that  take  the  form  (•;  ay:  (item  nf)  eph,  . . . ,  .xy.:  (item  nf)  eph )  for  some 
numbers  n\. . .  rik .  The  world  described  by  this  generative  signature  is  an  invariant  of  a  rule  like 

merge  :  Vn.  Vm.  Vp.  item  n  •  item  m  •  ! (plus nmp)  >— >  {itemp} 

that  combines  two  items,  where  plus  is  negative  predicate  defined  with  a  deductive  specification 
as  in  Figure  6.21. 

Such  substructural  generalizations  of  regular  worlds  are  sufficient  for  the  encoding  of  stores 
in  Linear  LF  [CP02]  and  stacks  in  Ordered  LF  [PolOl].  They  also  suffice  to  describe  well- 
formedness  invariants  in  Felty  and  Momigliano’s  sequential  specifications  [FM12].  However, 
regular  worlds  are  insufficient  for  the  invariants  discussed  in  the  remainder  of  this  chapter. 

9.1.4  Generative  versus  consumptive  signatures 

Through  the  example  of  regular  worlds,  we  can  explain  why  worlds  are  defined  as  sets  of  process 
states  generated  by  a  signature  Sgen  and  an  initial  state  (\&;  A): 

{(*';  A")  I  (* ;  A)  -4Gen  (*';  A')  A  (*';  A')*  =  (*';  A")} 
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as  opposed  to  the  apparently  symmetric  case  where  worlds  are  sets  of  process  states  that  can 
generate  a  final  process  state  (\k;  A)  under  a  signature  £  Cons ,  which  we  will  call  a  consumptive 
signature: 

{(*';  A")  I  (*';  A')  -4Gen  (*;  A)  a  (*';  A')*  =  (*';  A")} 

Consumptive  signatures  look  like  generative  signatures  with  the  arrows  turned  around:  we 
consume  well-formed  contexts  using  rules  like  Ve.  evale  >— *■  {safe}  and  V/.  safe  •  cont  /  >— > 
{safe}  instead  of  creating  them  with  rules  like  Ve.  gen  >— >  {eval  e}  and  V/.  gen  {gen  •cont/}. 
One  tempting  property  of  consumptive  signatures  is  that  they  open  up  the  possibility  of  working 
with  complete  derivations  rather  than  traces.  That  is,  using  a  consumptive  signature,  we  can  talk 
about  the  set  of  process  states  (T:  A)  where  T :  A  F  safe  lax  rather  than  the  set  of  process  states 
where  (-;x:(gen}  ord )  ('k;  A).3 

For  purely  context-free-grammar- like  invariants,  such  as  the  PDA  invariant  from  Section  4.4. 1 
and  the  SSOS  invariant  from  Section  6.3,  generative  and  consumptive  signatures  are  effectively 
equivalent.  However,  for  generative  signatures  describing  regular  worlds,  there  is  no  notion  of 
turning  the  arrows  around  to  get  an  appropriate  consumptive  signature.  In  particular,  say  we  want 
to  treat 


^ good,  =  (xi:exp,  nt>i:natvarxi  ni,  X2:exp,  nr>2:natvarx2  ^2) 
as  a  well-formed  LF  context  but  not  treat 

T bad  =  (x:exp,  mqmatvarxni,  m^natvarxr^) 

as  well-formed.  It  is  trivial  to  use  Twelf’s  regular  worlds  or  generative  signatures  to  impose  this 
condition,  but  it  does  not  seem  possible  to  use  consumptive  signatures  for  this  purpose.  There 
exists  a  substitution  (x/xi,  nv1f/nvi,x//x2,  nv2//nv2)  from  vk£f0orf  to  T had ;  therefore,  by  variable 
substitution  (Theorem  3.4),  if  there  exists  a  derivation  of  T good  Fs  gen  lax  there  also  exists  a 
derivation  of  'kbad  Fs  gen  lax.  This  is  related  to  the  issues  of  variable  and  pointer  (in)equality 
discussed  in  Section  6.5.1. 

The  generative  signatures  used  to  describe  state  in  Section  9.4  and  destination-passing  style  in 
Section  9.5  rely  critically  on  the  uniqueness  properties  that  are  provided  by  generative  signatures 
and  not  by  consumptive  signatures. 


9.2  Invariants  of  ordered  specifications 

We  already  introduced  generative  invariants  for  ordered  abstract  machine  SSOS  specifications  in 
Section  6.3.  In  this  section,  we  will  extend  that  generative  invariant  to  ordered  abstract  machines 
with  parallel  evaluation  and  recoverable  failure. 

In  Figure  9. 1  we  define  a  flat  ordered  abstract  machine  with  parallel  features  (parallel  evalua¬ 
tion  of  the  function  and  argument  in  an  application,  as  discussed  in  Section  6.1.4  and  Figure  6.3) 
and  recoverable  failure  (as  presented  in  Section  6.5.4  and  Figure  6.20).  To  make  sure  there 

3  As  long  as  '!■'  and  A  contain  only  nonterminals  -  using  consumptive  signatures  doesn’t  obviate  the  need  for  the 
restriction  operation  ( >1' :  A)1?  or  some  equivalent  restriction  operation. 
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eval :  exp  ->  prop  ord. 
retn:  exp  ->  prop  ord. 
cont :  frame  ->  prop  ord. 
cont2 :  frame  ->  prop  ord. 
error:  prop  ord. 
handle:  exp  ->  prop  ord. 

; ;  Unit 

ev/unit :  eval  unit  >->  {retn  unit}. 

; ;  Sequential  let 

ev/let:  eval  (let  E  \x.  E'  x)  >->  {eval  E  *  cont  (letl  \x.  E'  x) } . 

ev/letl:  retn  V  *  cont  (letl  \x.  E'  x)  >->  {eval  (E'  V)}. 

; ;  Functions  and  parallel  application 

ev/lam:  eval  (lam  \x.  E  x)  >->  {retn  (lam  \x.  Ex)}, 

ev/app:  eval  (app  El  E2)  >->  {eval  El  *  eval  E2  *  cont2  appl}. 
ev/appl :  retn  (lam  \x.  Ex)  *  retn  V2  *  cont2  appl 
>->  { eval  (E  V2 ) } . 


; ;  Recoverable  failure 
ev/fail:  eval  fail  >->  {error}, 

ev/catch:  eval  (catch  El  E2)  >->  {eval  El  * 

ev/catcha:  retn  V  *  handle  _  >->  {retn  V}. 
ev/catchb:  error  *  handle  E2  >->  {eval  E2 } . 


handle  E2 } . 


ev/error : 
ev/ errerr : 
ev/ errret : 
ev/ reterr : 


error  *  cont  _  >->  {error}, 
error  *  error  *  cont2  _  >->  {error}, 
error  *  retn  _  *  cont2  _  >->  {error}, 
retn  _  *  error  *  cont2  _  >->  {error}. 


Figure  9.1:  Ordered  abstract  machine  with  parallel  evaluation  and  failure 


is  still  an  interesting  sequential  feature,  we  also  introduce  a  let-expression  rletz  =  eine/n  = 
let  ren  A.z\re/n.  The  particular  features  are  less  important  than  the  general  setup,  which  effec¬ 
tively  represents  all  the  specifications  from  Chapter  6  that  used  only  ordered  atomic  propositions. 

Our  goal  is  to  describe  a  generative  signature  that  represents  the  well-formed  process  states 
of  the  specification  in  Figure  9.1.  What  determines  whether  a  process  state  is  well  formed?  The 
intended  adequacy  theorem  was  our  guide  in  Section  6.3,  and  the  intended  progress  theorem  will 
guide  our  hand  in  Section  9.3.  An  obvious  minimal  requirement  is  that  every  state  A  such  that 
(A: (eval)  ren  ord )  A  under  the  signature  from  Figure  9.1  must  be  well  formed;  otherwise 
well-formedness  won’t  be  invariant  under  evaluation!  One  option  is  therefore  to  make  this  cor¬ 
respondence  precise,  and  to  have  the  well  formed  states  be  precisely  the  states  that  are  reachable 
in  the  process  of  evaluating  syntactically  valid  expressions  ren.  That  is,  if  (A:  (gen)  ord )  A 
under  the  generative  signature  and  if  A  contains  no  instances  of  gen,  then  there  should  be  an  ex- 
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pression  e  such  that  (x:(eval  ren)  ord )  ^ *  A  under  the  signature  from  Figure  9.1.  (Because  gen 
is  the  only  nonterminal,  we  can  express  that  A  contains  no  instances  of  gen  with  the  restriction 
operator,  writing  Aj?.)4 

The  analogues  of  the  unary  grammar  productions,  associated  with  the  terminals  eval  e,  retn  v, 
and  error,  are  straightforward: 

gen/eval:  gen  >->  {eval  E}. 

gen/retn:  gen  *  lvalue  V  >->  {retn  V}. 

gen/error:  gen  >->  {error}. 

As  in  Section  6.3,  we  use  a  deductively-defined  judgment  value  v  to  stipulate  that  we  only  return 
values.  The  process  state  (y:(retn  r e\  ep)  ord )  is  not  well  formed:  the  application  expression 
e\  e2  is  not  a  value,  and  there  is  no  e  such  that  (x:(eval  ren)  ord )  (y:(retn  re\  eP)  ord)  under 

the  signature  from  Figure  9.1. 

There  is  a  potential  catch  when  we  consider  the  rules  for  sequential  continuations  cont  /  and 
parallel  continuations  cont2  /.  We  expect  a  sequential  continuation  frame  to  be  preceded  by  a 
single  well-formed  computation,  and  for  a  parallel  continuation  frame  to  be  preceded  by  two 
well-formed  computations,  suggesting  these  rules: 

gen/cont:  gen  >->  {gen  *  cont  F}. 
gen/cont2:  gen  >->  {gen  *  gen  *  cont2  F}. 

Even  though  gen/cont  is  exactly  the  rule  for  sequential  continuations  in  Section  6.3,  this  ap¬ 
proach  conflicts  with  our  guiding  principle  of  reachability.  Both  parallel  continuation  frames 
cont  /  and  sequential  continuation  frames  cont2  /  are  indexed  by  LF  terms  /  of  type  frame,  but 
the  parallel  frame  appl  cannot  appear  in  a  sequential  continuation,  nor  can  the  sequential  frame 
(letl  Xx.e  x)  appear  in  a  parallel  frame. 

This  is  fundamentally  no  more  complicated  than  the  restrictions  we  placed  on  the  retn  v 
terminal.  All  expressions  (LF  variables  of  type  exp)  can  appear  in  exp  e  propositions  (and  in 
handle e  propositions),  but  only  some  can  appear  in  retnw  frames.  We  describe  that  subset  of 
frames  with  the  negative  atomic  proposition  value v,  which  is  deductively  defined.  Similarly, 
only  some  frames  can  appear  in  cont  /  terminals,  and  only  some  frames  can  appear  in  cont2  / 
terminals.  The  former  subset  can  be  expressed  by  a  negative  atomic  proposition  okf  /,  and  the 
latter  by  a  negative  atomic  proposition  okf2  /.  Both  of  these  are  deductively  defined.  The  full 
specification  of  this  generative  invariant  is  shown  in  Figure  9.2;  we  will  refer  to  this  generative 
signature  as  EGen9.2. 

9.2.1  Inversion 

Traditional  inversion  lemmas  are  a  critical  part  of  preservation  properties  for  small-step  opera¬ 
tional  semantics  specifications.  In  traditional  preservation  theorems,  we  often  start  with  a  deriva¬ 
tion  of  e\  e2  i — y  e\  e2  and  another  derivation  of  ■  h  e\  e2  :  tp.  An  inversion  lemma  then  proceeds 
by  case  analysis  on  the  structure  of  the  derivation  •  h  e±  e2  :  tp,  and  allows  us  to  conclude  that 
•  h  e\  :  tp'  — *■  tp  and  that  ■  h  e2  :  tp'  for  some  object-level  type  tp' .  In  other  words,  an  inversion 

4We  won’t  discuss  the  proof  of  this  property,  but  the  proof  is  not  difficult  to  reconstruct;  it  follows  the  same 
contours  as  the  proof  of  progress  given  in  Chapter  10. 
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value:  exp  ->  prop, 
value/unit:  value  unit, 
value/lam:  value  (lam  \x.  E  x) . 


okf :  frame  ->  prop, 
okf/letl:  okf  (letl  \x.  E'  x) . 


okf 2 :  frame  ->  prop. 
okf2/appl:  okf2  appl . 


gen:  prop  ord. 
gen/eval:  gen 

gen/retn:  gen 

gen/cont:  gen 

gen/cont2 :  gen 

gen/error:  gen 

gen/handle:  gen 


>->  { eval  E } . 

*  lvalue  V  >->  {retn  V}. 

*  lokf  F  >->  {gen  *  cont  F}. 

*  !okf2  F  >->  {gen  *  gen  *  cont2 
>->  {error } . 

>->  {gen  *  handle  E2}. 


F}  . 


Figure  9.2:  Generative  invariant:  well-formed  process  states 


lemma  allows  us  to  take  knowledge  about  a  term’s  structure  and  obtain  information  about  the 
structure  of  typing  derivation. 

Inversion  on  a  generative  signature  is  intuitively  similar:  we  take  information  about  the  struc¬ 
ture  of  a  process  state  and  use  it  to  learn  about  the  generative  trace  that  formed  that  process  state. 
Concurrent  equality  (Section  4.3)  is  critical.  None  of  the  parts  of  the  lemma  below  would  hold 
if  we  did  not  equate  traces  such  as 

(a/: (gen)  ord) 

{x\,x2,x3}  gen/cont2  f  (x1  •  okf2/appl) 

{2/1}  «-  gen/eval  ei  x\ 

{y2}  f-  gen/eval  e2  x2 

(?/i:(eval  ei)  ord ,  y2:(evale2)  ord ,  x3:(cont2/)  ord ) 


and 


(a/: (gen)  ord ) 

{xi,  x2,x3}  gen/cont2  /  (x'  •  okf2/appl) 

{y2}  <-  gen/eval  e2x2 
{2/1}  <-  gen/eval  ei  x\ 

(?/i:(eval  ei)  ord ,  y2:(ev ale2)  ord,  x3:(cont2  /)  ord ) 

by  concurrent  equality. 

The  function  of  an  inversion  lemma  is  to  conclude,  based  on  the  structure  of  a  generated 
process  state,  something  about  the  last  step  in  the  trace  that  generated  it.  This  is  less  immedi¬ 
ate  than  inversion  on  derivations  because  concurrent  traces  can  have  many  steps  which  can  all 
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(x0:(gen)  ord ) 


(x0:(gen)  ord ) 


Figure  9.3:  Graphical  representation  of  part  1  of  the  inversion  lemma  for  T>Gen9.2 

equivalently  be  treated  the  last,  such  as  the  two  gen/eval  steps  above.  Another  way  of  looking  at 
the  inversion  lemma,  which  emphasizes  that  generative  traces  act  like  rewriting  rules,  is  shown 
in  Figure  9.3. 

Lemma  (Inversion  -  Figure  9.2). 

1.  IfT  ::  (x0:(gen)  ord)  *^Gen92  0{y:(evale)  ord},5 
then  T  =  (T'\  {y}  <—  gen/eval  ex'). 

2.  IfT  ::  (x0:(gen)  ord)  ^Gen92  0{?/:(retnu)  ord}, 
then  T  =  (T'\  {y}  0-  gen/retn  v  ( x'  •  IN)), 
where  ■  \-  N  :  valuer  true.6 

3.  IfT  ::  (x0:(gen)  ord)  ^Gen92  0{j/i:(gen)  ord ,  y2:(contf)  ord}, 
then  T  =  (V;  {y1,y2}  F-  gen/cont  /  (V  •  \N)), 

where  ■  \-  N  :  okf  f  true. 

4.  IfT  ::  (x0:(gen)  ord)  ^Gen92  0{z/i:(gen)  ord,  y2:{  gen)  ord,  y3:(cont2  /)  ord}, 
then  T  —  (T';  {yu  y2,  y3}  <-  gen/cont2  /  (x'  •  \N)), 

where  ■  \-  N  \  okf2  /  true. 

5.  IfT  ::  (x0:(gen)  ord)  ^Gen92  0{?/:(error)  ord}, 
then  T  =  (T';  {y}  0-  gen/error  x'). 

6.  IfT  ::  (x0:(gen)  ord)  ^Gen92  0{?/i:(gen)  ord,  y2: (handle e)  ord}, 
then  T  =  (T'\  {y\,y2}  f—  gen/handle  e  (x'  •  IN)). 

In  each  instance  above,  V  ::  (x0:(gen)  ord)  ^j;Geri9  @{V:(gen)  ord},  where  the  variables  x0 
and  x’  may  or  may  not  be  the  same.  ( They  are  the  same  iffT’  —  o.) 

5Our  notation  for  frames  0  and  the  tacking-on  operation  0{  A}  are  summarized  in  Appendix  A. 

6In  this  chapter,  the  signature  associated  with  every  deductive  derivation  (Y.ceri.9.2  in  this  case)  is  clear  from  the 
context  and  so  we  write  •  b  N  :  value  v  true  instead  of  •  \~sGeng  t  N  :  value  v  true. 
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Proof.  Each  part  follows  by  induction  and  case  analysis  on  the  last  steps  of  T.  In  each  case,  we 
know  that  the  trace  cannot  be  empty,  because  the  variable  bindings  y:  (eval  e)  ord,  y:  (retn  v)  ord, 
y2:(cont/)  ord,  j/3:(cont2  f)  ord,  y:  (error)  ord,  and  y2:(handle  e)  ord,  respectively,  appear  in  the 
final  process  state  but  not  the  initial  process  state.  Therefore,  T  =  T"\  S  for  some  T"  and  S. 

There  are  two  ways  of  formulating  the  proof  of  this  inversion  lemma.  The  specific  formula¬ 
tion  does  a  great  deal  of  explicit  case  analysis  but  is  closer  in  style  to  the  preservation  lemmas. 
We  also  give  a  more  generic  formulation  of  the  proof  which  avoids  much  of  this  case  analysis, 
in  large  part  by  operating  in  terms  of  the  input  and  output  interfaces  introduced  in  Section  4.3. 

Specific  formulation  (Part  4) 

Given  (T";  S)  ::  (x0:(gen)  ord )  ^Gen9  2  Q{yi.(gen)  ord,  y2:( gen)  ord,  y3:(cont2  f)  ord},  we 

perform  case  analysis  on  S.  We  give  two  representative  cases: 

Case  S  =  {z}  <—  gen/eval  ex" 

We  have  that  0{y1:(gen)  ord,  y2:( gen)  ord,  y3:(cont2/)  ord}  =  ©'{^(eval  e)  ord}.  It 
cannot  be  the  case  that  z  —  y±,  z  —  y2,  or  z  =  y3  -  the  propositions  don’t  match.  There¬ 
fore,  we  can  informally  describe  the  substructural  context  as  a  frame  Q2h  with  two  holes 
that  are  filled  as  ©2rr{f/T(gen}  ord,  y2:(ger\)  ord,  y3:(cont2/)  ord}{z: (eval  e)  ord}.  (We 
haven’t  actually  introduced  frames  with  two  holes;  the  reasoning  we  do  with  two-hole 
contexts  here  could  also  be  done  following  the  structure  of  the  cut  admissibility  proof, 
Theorem  3.6.) 

If  we  call  the  induction  hypothesis  on  T" ,  we  get  that 
T”  =  (x0:  (gen)  ord) 

@2ir{^/:(gen)  ord}{x":( gen)  ord} 

{2/1, 2/2, 2/3}  gen/ cont2  /  (x'  •  \N) 

@2Jf{2/i:(gen)  ord,  y2:( gen)  ord,  y3:(cont2/)  ord}{x":( gen)  ord} 

The  steps  {yi,  2/2 , 2/3 }  gen/cont2  /  (xr  •  IN)  and  {^}  gen/eval  ex”  can  be  permuted, 
so  we  let  V  =  T"'\  {^}  gen/eval  e  x"  and  have 

T=  (x0: (gen)  ord) 

rprrr 

©2ir{^/:(gen)  ord}{x":( gen)  ord} 

{z}  gen/eval  ex” 

©2ir{a:/:(gen)  ord}{z:(eval  e)  ord} 

{2/1, 2/2, 2/3}  <-  gen/cont2  f  (x'  •  \N) 

02H{j/i:(gen)  ord,  y2:( gen)  ord,  y3:(cont2/)  ord}{z:(e\/ ale)  ord} 

Case  S  =  {zi,  z2,  zf}  gen/cont2  f  {x"  •  IN') 

If  zi  —  xi,  z2  —  x2,  or  z:i  =  x3,  then  the  ordered  structure  of  the  context  forces  the  rest  of 
the  equalities  to  hold  and  we  succeed  immediately  letting  T’  =  T" ,  f  =  f ,  and  N  =  N'. 

If  z\  Xi,  z2  x2,  and  z3  x3,  then  we  proceed  by  induction  as  in  the  gen/eval  case 
above. 
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The  only  other  possibilities  allowed  by  the  propositions  associated  with  variables  are  that 
z\  =  x2,  which  is  impossible  because  it  would  force  z2  =  x3  and  therefore  force  gen  to 
equal  cont2  /,  and  that  z2  —  x\,  which  is  impossible  because  it  would  force  z3  =  x2  and 
therefore  force  cont2  f  to  equal  gen. 


Generic  formulation  Let  Var  be  the  set  of  relevant  variables  -  {y}  in  parts  1,  2,  and  5,  {yi,y2} 
in  parts  3  and  6,  and  {yu  y2,  y3}  in  part  4. 

One  possibility  is  that  0  =  S*  fl  Var.  If  so,  it  is  always  the  case  that  0  =  *S  D  Var  as 
well,  because  Var  contains  no  persistent  atomic  propositions  or  LF  variables.  By  the  induction 
hypothesis  we  then  get  that  T"  =  T'"\  S',  where  S'  =  {y}  gen / eval  e  x'  in  part  1,  S'  =  {y} 
gen/retn  v  ( x '  •  \N)  in  part  2,  and  so  on.  In  each  of  the  six  parts,  S' *  =  Var,  so  0  =  S'*  fl  *S 
and  {T'"\  S'-  S)  =  T S-  S').  We  can  conclude  letting  V  =  (T";  S ). 

If,  on  the  other  hand,  S*  fl  Var  is  nonempty,  we  must  show  by  case  analysis  that  S*  =  Var 
and  that  furthermore  S  is  the  step  we  were  looking  for.  This  is  easy  in  parts  1,  2,  and  5  where  Var 
is  a  singleton  set:  there  is  only  one  rule  that  can  produce  an  atomic  proposition  of  type  eval  e, 
retn  v,  or  error,  respectively.  In  part  4,  we  observe  that,  if  the  variable  bindings  y\ :{gen)  ord, 
y2: (gen)  ord,  and  ;//;>:  (con  1 2  f)  ord  appear  in  order  in  the  substructural  context,  there  is  no  step 
in  the  signature  SGen9.g  that  has  y\  among  its  output  variables  that  does  not  also  have  y2  and  y3 
among  its  output  variables,  no  step  that  has  y2  among  its  output  variables  that  does  not  also  have 
y1  and  y3  among  its  output  variables,  and  so  on.  (This  is  a  rephrasing  of  the  reasoning  we  did  in 
the  gen/cont2  case  of  the  proof  above.)  Parts  3  and  6  work  by  similar  reasoning.  □ 

The  inversion  lemma  can  be  intuitively  connected  with  the  idea  that  the  grammar  described 
by  a  generative  signature  is  unambiguous.  This  will  not  hold  in  general.  If  there  was  a  rule 
gen/redundant  :  gen  {gen}  in  XGeng.,g,  for  instance,  then  the  final  step  S  could  be  {yi}  <— 
gen / redundant  y' ,  and  this  would  invalidate  our  inversion  lemma  for  parts  3,  4,  and  6. 

Conversely,  if  we  tried  to  prove  an  inversion  property  about  traces  (x:(gen)  ord ) 

0{y:(gen)  ord},  this  property  would  again  fail:  V  =  {y},  and  in  the  case  where  the  last  step  S 
is  driven  by  one  of  the  rules  gen/cont,  gen/cont2,  or  gen/handle,  S*  will  be  a  strict  superset  of 
V. 

The  reason  for  preferring  the  generic  formulation  to  the  one  based  on  more  straightforward 
case  analysis  is  that  the  generic  formulation  is  much  more  compact.  The  specific  formulation  in 
its  full  elaboration  would  require  enumerating  7  cases  for  each  of  the  6  inversion  lemmas,  leading 
to  proof  whose  size  is  in  0(n2)  where  n  is  the  number  of  rules  in  the  generative  signature.  This 
enormous  proof  does  very  little  to  capture  the  intuitive  reasons  why  the  steps  we  are  interested 
in  can  always  be  rotated  to  the  end.  A  goal  of  this  chapter  to  reason  we  will  emphasize  the 
principles  by  which  we  can  use  to  reason  concisely  about  specifications. 


9.2.2  Preservation 

Theorem  9.2  (£Gen9.2  is  a  generative  invariant).  IfT}  ::  (x0:(gen)  ord)  2  A  and  S  :: 

A'  under  the  signature  from  Figure  9.1,  then  T2  ::  (,Xo:  (gen)  ord)  ^^Gen9  ,  A'. 
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Again  recalling  the  two-dimensional  notation  from  Chapter  4,  the  statement  of  this  theorem  can 
be  illustrated  as  follows  (dashed  lines  represent  outputs  of  the  theorem): 

(x0\ (gen)  ord)  (x0: (gen)  ord) 

£ Gen9.2  ( 

4-* 

A 

//// 

A  - 

Proof.  By  case  analysis  on  S.  As  in  the  proofs  of  Theorem  4.7  and  Theorem  6.6,  we  enumerate 
the  synthetic  transitions  possible  under  the  signature  in  Figure  9.1,  perform  inversion  on  the 
structure  of  T\,  and  then  use  the  results  of  inversion  to  construct  T2.  We  give  three  illustrative 
cases  corresponding  to  the  fragment  dealing  with  functions  and  parallel  application. 

Case  { y }  <—  ev/lam  (Xx.e)  x  ::  ©{x:(eval  (lam  Xx.e))  ord}  ^  0{y:(retn  (lam  Xx.e ))  ord} 
Applying  inversion  (Part  1)  to  7\,  we  have 

T\=  (x0:  (gen)  ord) 

V 

©{a:': (gen)  ord} 

{a;}  gen/eval  (lam  Xx.e)  x' 

@{x:(eval  (lam  Xx.e))  ord} 

We  can  use  T'  to  construct  T2  as  follows: 

T2=  (x0\ (gen)  ord) 

V 

©{a:': (gen)  ord} 

{y}  gen/retn  (lam  Xx.e)  (x1  •  !(value/lam  (Ax.e))) 

©{j/:(retn  (lam  Xx.e))  ord} 

Case  {a/i,  a/2, 2/3}  <-  ev/ appe1e2x 

::  ©{x:(eval  (appei  e2))  ord} 

^  0{?/i:(evalei)  ord,  y2:(eva\e2)  ord,  y3:(cont2 appl)  ord} 

Applying  inversion  (Part  1)  to  T),  we  have 

Ti  =  (x0:  (gen)  ord) 

V 

©(x':(gen)  ord} 

{x}  gen/eval  (appei  e2)  x' 

©{x:(eval  (appei  e2))  ord} 


J  Gen9.2 


A' 

A' 
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We  can  use  T'  to  construct  T2  as  follows: 

T2  =  O0:  (gen)  ord) 

V 

©{a/: (gen)  ord} 

{y'i,y'2,y}  <-  gen/cont2appl  (x'  •  !okf2/appl) 

{2/1}  <-  gen/evalei  y{ 

{2/2}  4-  gen/eval  e2  y2 

@{j/i:(eval  e\)  ord,  ?/2:(evale2 )  ord ,  7/3:(cont2  appl)  ord} 

Case  {y}  <—  ev/appl  (Ax.  e)  v2  (xi  •  x2  •  x3) 

::  0{xi:(retn  (lam  Ax.  e))  ord,  x2:(retnx2)  ord ,  X3:(cont2  appl)  ord} 

@{?/:(eval  {[v2/x\e))  ord} 

Applying  inversion  (Part  2,  twice,  and  then  Part  4)  to  7j,  we  have 

Ti  =  (x0:(gen }  ord) 

T 

©{x'^gen)  ord} 

{, x x'2,  x3}  gen/cont2  appl  (x'  •  \N) 

{xi}  gen/retn  (lam  Ax.e)  (x'x  •  !A^i) 

{x2}  gen/retn  v2  (x'2  •  \N2) 

©{xi:(retn  (lam  Ax.  e))  ord,  x2:(retnx2)  ord ,  x3:(cont2  appl )  ord} 

We  can  use  T'  to  construct  T2  as  follows: 

T2=  (x0:(gen)  ord) 

T 

©{x':(gen)  ord} 

{y}  4-  gen/eval  ([x2/x]e)  x' 

©{|/:(eval  ([u2/x]e))  ord} 

The  other  cases,  corresponding  to  the  rules  ev/unit,  ev/fail,  ev/catch,  ev/catcha,  ev/catchb, 
ev/error,  ev/errerr,  ev/errret,  and  ev/reterr  all  proceed  similarly  by  inversion  and  reconstruction. 

□ 

Note  that,  in  the  case  corresponding  to  the  rule  ev/appl,  we  obtained  but  did  not  use  three 
terms  •  h  N  :  okf2  appl  true,  ■  h  N\  :  value  (lam  Ax.e)  true,  and  •  h  JV2  :  valuex2true.  By 
traditional  inversion  on  the  structure  of  a  deductive  derivation,  we  know  that  N  =  okf2/appl 
and  Ni  =  value/lam  (Ax.e),  but  that  fact  was  also  not  necessary  here. 


9.3  From  well-formed  to  well- typed  states 

In  order  to  describe  those  expressions  whose  evaluations  never  get  stuck,  we  introduce  object 
level  types  tp  and  define  a  typing  judgment  Y  h  e  :  tp.  We  encode  object-level  types  as  LF  terms 
classified  by  the  LF  type  typ.  The  unit  type  rln  =  unittp  classifies  units  r()n  =  unit,  and  the 
function  type  rtp1  — ^  tp2^  =  arr  rtp1~]  rtp2~i  classifies  lambda  expressions. 
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of /unit : 
of /lam: 


of  unit  unittp. 
of  (lam  \x.  E  x)  (arr  Tp'  Tp) 

<-  (All  x.  of  x  Tp'  ->  of  (E  x)  Tp) . 
of/app:  of  (app  El  E2)  Tp 

<-  of  El  (arr  Tp'  Tp) 

<-  of  E2  Tp' . 
of/fail:  of  fail  Tp . 

of/catch:  of  (catch  El  E2)  Tp 
<-  of  El  Tp 
<-  of  E2  Tp. 

off:  frame  ->  typ  ->  typ  ->  prop, 
off/letl:  off  (letl  \x.  E'  x)  Tp'  Tp 

<-  (All  x.  of  x  Tp'  ->  of  (E'  x)  Tp)  . 

off2:  frame  ->  typ  ->  typ  ->  typ  ->  prop. 


of f2/appl : 

of  f  2 

appl 

(arr 

Tp' 

Tp)  Tp' 

Tp. 

gen:  typ  -> 

prop 

i  ord . 

gen/eval : 

gen 

Tp 

* 

!  of  E 

Tp  > 

->  {eval 

E}  . 

gen/retn : 

gen 

Tp 

k 

!  of  V 

Tp  * 

! value 

V  >- 

>  { retn  V} . 

gen/ cont : 

gen 

Tp 

k 

!  off  F 

Tp' 

Tp  >-> 

{gen 

Tp'  *  cont  F} 

gen/ cont2 : 

gen 

Tp 

k 

!  of  f  2 

F  Tpl  Tp2  Tp 

>-> 

{ gen 

Tpl  * 

gen 

Tp2  *  cont2 

F}  . 

gen/error : 

gen 

Tp 

>~ 

>  { error } . 

gen/handle : 

gen 

Tp 

k 

!  of  E2 

Tp 

>->  {gen 

Tp 

*  handle  E2 } . 

Figure  9.4:  Generative  invariant:  well-typed  process  states 


In  a  syntax-directed  type  system,  each  syntactic  construct  is  associated  with  a  different  typing 
rule.  These  are  the  typing  rules  necessary  for  describing  the  language  constructs  in  Figure  9.1: 

T,  x:tp'  F  e  :  tp  T  F  e\  :  tp'  —^tp  T  h  e2  :  tp' 
r  F  ()  :  1  r  h  Xx.e  :  tp'  — ^  tp  T  h  e\  e2  :  tp 

r  F  e\  :  tp  r  F  e2  :  tp 
V  F  fail  :  tp  T  F  try  e\  ow  e2  :  tp 

We  can  adequately  encode  derivations  of  the  judgment  xp.tp l5 . . . ,  xn:tpn  F  e  :  tp  as  SLS  deriva¬ 
tions  xpexp, . . . ,  xn:exp;  yp(of  x\  rtp  1_l)  pers, . . . ,  yn:(of  x±  rtpn~l)  pers  F  of  ren  rtp~]  under  the 
signature  in  Figure  9.3. 

This  typing  judgment  allows  us  to  describe  well-formed  initial  states,  but  it  is  not  sufficient 
to  describe  intermediate  states.  To  this  end,  we  describe  typing  rules  for  frames,  refining  the 
negative  predicates  okf  /  and  okf2  /  from  Figure  9.2.  The  SLS  proposition  describing  well- 
typed  sequential  frames  is  (off  /  rtpn  rtp~[).  This  proposition  expresses  that  the  frame  f  expects 


a  returned  result  with  type  tp'  and  produces  a  computation  with  type  tp.7  The  parallel  version  is 
(off  /  rtpf1  rtp2~]  rtpn),  and  expects  two  sub-computations  with  types  tp1  and  tp2,  respectively, 
in  order  to  produce  a  computation  of  type  tp.  These  judgments  are  given  in  Figure  9.4. 

The  generative  rules  in  Figure  9.4  are  our  first  use  of  an  indexed  nonterminal,  gen  rtpn,  which 
generates  computations  that,  upon  successful  return,  will  produce  values  v  such  that  ■  h  v  :  tp. 

9.3.1  Inversion 

The  structure  of  inversion  lemmas  is  entirely  unchanged,  except  that  it  has  to  account  for  type 
indices.  We  only  state  two  cases  of  the  inversion  lemma,  the  one  corresponding  to  gen/eval  and 
the  one  corresponding  to  gen/cont.  These  two  cases  suffice  to  set  up  the  template  that  all  other 
cases  follow. 

Lemma  (Inversion  -  Figure  9.2,  partial). 

1.  IfT  ::  (x0:(gen  tp0)  ord )  ^Gm94  0{y:(evale)  ord}, 
then  T  =  (X7;  {y}  gen/eval  tp  e  (x'  •  IN)), 
where  ■  h  N  :  of  e  tp  true 

2.  IfT  ::  (x0:(gen  tp0)  ord)  ^sGen94  ©{Mgen  tp')  ord,  y2:(contf)  ord}, 
then  T  =  (T';  {yi,y2}  F-  gen/cont  tp  f  tp'  (x'  •  IN)), 

where  ■  h  N  :  off  f  tp'  tp  true. 

In  each  instance  above,  T'  ::  (x0:(gen  tpQ)  ord)  ^^Gcn9  ,  ©{x':(gen  tp)  ord},  where  the  vari¬ 
ables  Xo  and  x'  may  or  may  not  be  the  same.  (They  are  the  same  iffT'  =  o,  and  if  they  are  the 
same  that  implies  tpQ  =  tp.) 


9.3.2  Preservation 

Theorem  9.3  only  differs  from  Theorem  9.2  because  it  mentions  the  type  index.  Each  object-level 
type  tp0  describes  a  different  world  (that  is,  a  different  set  of  SLS  process  states),  and  evaluation 
under  the  rules  in  Figure  9.1  always  stays  within  the  same  world. 

Theorem  9.3  (EGen9^  is  a  generative  invariant).  If  T\  ::  (ay,: (gen  tp0)  ord)  ^^Geng  ,  A  and 
S  ::  ^  A'  under  the  signature  from  Figure  9.1,  then  To  ::  (.Xq:  (gen  tpQ)  ord)  ^^Gen9  A'. 

(x0:(gen  tp0)  ord)  (x0:(gen  tp0)  ord) 

^ Gen9-4  ( 

A 

//// 

A  - 

7The  judgment  we  encode  in  SLS  as  (off  frtp'~'  rtp~')  is  written  /  :  tp1  =>•  tp  in  [Harl2,  Chapter  27]. 


JGen9.4 


A' 
/  /  / 

A' 
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In  the  proof  of  Theorem  9.2,  we  observed  that  the  applicable  inversion  on  the  generative 
trace  gave  us  derivations  like  •  b  N  :  okf2  appl  true.  We  did  not  need  these  side  derivations  to 
complete  the  proof,  but  we  noted  that  they  were  amenable  to  traditional  inversion.  Traditional 
inversion  will  be  critical  in  proving  that  the  generative  invariant  described  by  E  Qen9.4  is  pre¬ 
served.  It  is  a  solved  problem  to  describe,  prove,  and  mechanize  traditional  inversion  lemmas  on 
deductive  derivations;  we  merely  point  out  when  we  are  using  a  traditional  inversion  property  in 
the  proof  below. 

Proof.  As  always,  the  proof  proceeds  by  enumeration,  inversion,  and  reconstruction.  We  give 
two  representative  cases: 

Case  {y}  <—  ev/ appl  ( Ax .  e )  v2  {x\  •  X2  •  x2) 

::  ©{xi:(retn  (lam  Xx.  e))  ord,  X2:(retn  v2)  ord ,  x3:(cont2  appl)  ord} 

@{y:(eval  ([x2/x]e))  ord} 

Applying  inversion  to  Ti,  we  have 

T\  =  (x0:  (gen  tp0)  ord) 

T 

©{x':(gen  tp)  ord} 

{x\ ,  x'2,  x3}  gen/cont2  tp  appl  tp "  tp'  (x'  •  \N) 

©{xi:(gen  tp")  ord,  x'2:(gen  tp')  ord,  x3:(cont2  appl)  ord} 

{xi}  4—  gen/retn  tp"  (lam  Ax.e)  (x}  •  ! N±  •  \Nvi) 

{x2}  gen/retn  v2  (x'2  •  !iV2  •  ]-Nv2) 

0{xi:(retn  (lam  Ax.  e))  ord,  x2:(retr\v2)  ord,  x3:(cont2  appl )  ord} 

where 

•  ■  h  N  :  off2  appl  tp"  tp'  tp  true. 

By  traditional  inversion  we  know  tp"  =  arr  tp'  tp  and  N  =  off2/appl  tp'  tp. 

•  •  h  ^  :  of  (lam  Ax.e)  arr  tp'  tp  true. 

By  traditional  inversion  we  know  x:exp;  dx  :  of  x  tp'  pers  h  N[  :  of  e  tp  true. 

•  •  h  N'2  :  of  V2  tp' . 

With  these  derivations,  variable  substitution  (Theorem  3.4),  and  cut  admissibility  (Theo¬ 
rem  3.6),  we  have  a  derivation  of  •  h  \N2/ dx\  ([v2/x\N[)  :  of  ([v2/x]e)  tp  true.8  We  can 
therefore  use  T'  to  construct  T2  as  follows: 

T2  =  (x0:  (gen  tp0)  ord) 

V 

©{x':(gen  tp)  ord} 

{y}  <-  gen/evalfp  (\v2/x)e)  (x'  •  \({N2/ dxJ([v2/x]N[))) 

@{?/:(eval  {[v2/x]e))  ord} 

Case  {yi,  y2}  f—  ev/catch  (Ax.e)  v2  x 

::  ©{x:(eval  (catch  e3  e2))  ord}  @{t/i:(eval  ef)  ord ,  y2:  (handle  e2)  ord}] 

Applying  inversion  to  Ti,  we  have 

8 We  know  by  subordination  that  x  is  not  free  in  tp,  so  [r ’2/x\tp  =  tp. 
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Tx=  (ar0:  (gen  tp0)  ord) 

T 

@{x':(gen  tp)  ord} 

{x}  gen/eval  tp  (catch  e\  e2)  {pc'  •  IN) 

@{x:(eval  (catch  e\  e2))  ord} 

where  •  h  N  :  of  (catch  ei  e2)  tp. 

By  traditional  inversion  on  N  we  know  ■  h  :  of  e i  tp  true  and  ■  b  N2  :  of  e2  tp  true. 
We  can  therefore  use  T'  to  construct  T2  as  follows: 

Tx=  (x0:  (gen  tp0)  ord) 

V 

@{x':(gen  tp)  ord} 

{y\ ,  2/2}  <-  gen/handle  tp  e2  (x'  •  \N2) 

{2/1}  <-  gen/eval  tpe  1  (y[  •  \NX) 

@{j/i:(eval  ei)  ord,  y2;(handle  e2)  ord} 

The  other  cases  follow  the  same  pattern.  □ 

Dealing  with  type  preservation  is,  in  an  sense,  no  more  difficult  than  dealing  with  well- 
formedness  invariants.  Theorem  9.3  furthermore  follows  the  contours  of  a  standard  progress  and 
preservation  proof  for  an  abstract  machine  like  Harper’s  /C{nat-^}  [Harl2,  Chapter  27].  Unlike 
the  on-paper  formalism  used  by  Harper,  the  addition  of  parallel  evaluation  in  our  specification 
does  not  further  complicate  the  statement  or  the  proof  of  the  preservation  theorem. 


9.4  State 

Ambient  state,  encoded  in  mobile  and  persistent  propositions,  was  used  to  describe  mutable 
storage  in  Section  6.5.1,  call-by-need  evaluation  in  Section  6.5.2,  and  the  environment  semantics 
in  Section  6.5.3.  The  technology  needed  to  describe  generative  invariants  for  each  of  these 
specifications  is  similar.  We  will  consider  the  extension  of  our  program  from  Figure  9.1  with 
the  semantics  of  mutable  storage  from  Figure  6.14.  This  specification  adds  a  mobile  atomic 
proposition  cell  l  v,  which  the  generative  signature  will  treat  as  a  new  terminal. 

The  intuition  behind  mutable  cells  is  that  they  exist  in  tandem  with  locations  l  of  LF  type 
mutable  loc.  giving  the  non-control  part  of  a  process  state  the  following  general  form: 

(Zi:mutableJoc, . . . ,  Zn:mutableJoc;  (cell  l\  v\)  eph,  ...,  (cell  ln  vn)  eph,  . . .) 

Naively,  we  might  attempt  to  describe  such  process  states  with  the  block-like  rule  gen/cell/bad  : 
\/v.  lvalues  (3/. cell  l  v}.  The  problem  with  such  a  specification  is  that  it  makes  cells  unable 
to  refer  to  themselves,  a  situation  that  can  certainly  occur.  A  canonical  example,  using  back- 
patching  to  implement  recursion,  is  traced  out  in  Figure  9.4,  which  describes  a  trace  classified 
by: 
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(•;  xo:(eval  rlet  /  =  (ref  Ax.  ())  in  let  a;  =  (/ :=  Xx. (!/)x)  in  en)  ord)  ^ * 

(Zi:mutable_loc;  2/2 :  (ce  1 1 1\  (lam  Xx.  app  (get  (loc/i))  x)}  eph,  xi7:(eval  [(locfi)//,  unit/x]ren)}  ord ) 

The  name  of  this  problem  is  parameter  dependency  -  the  term  v  in  gen/cell/bad  has  to  be 
instantiated  before  the  parameter  l  is  introduced.  As  a  result,  the  trace  in  Figure  9.4  includes  a 
step 

{xie,  1/2}  F-  ev/ set2  . . .  (xi5  •  x1A  •  yi) 

that  transitions  from  a  state  that  can  be  described  by  Figure  9.2  extended  with  gen/cell/bad  to  a 
state  that  cannot  be  described  by  this  signature.  This  means  that  gen/cell /bad  cannot  be  the  basis 
of  a  generative  invariant:  it’s  not  invariant! 

The  solution  is  to  create  cells  in  two  steps.  The  first  rule,  a  promise  rule,  creates  the  location 
l  and  associates  a  mobile  nonterminal  gencell  with  that  location.  A  second  fulfill  rule  consumes 
that  nonterminal  and  creates  the  actual  mutable  cell.  Because  gencell  is  a  mobile  nonterminal, 
the  promise  must  be  fulfilled  in  order  for  the  final  state  to  pass  through  the  restriction  operation. 
As  we  have  already  seen,  there  is  not  much  of  a  technical  difference  between  well-formedness 
invariants  and  well-typedness  invariants;  Figure  9.6  describes  a  generative  signature  that  captures 
type  information.  This  specification  introduces  two  nonterminals.  The  first  is  the  aforementioned 
mobile  nonterminal  gencell  /,  representing  the  promise  to  eventually  create  a  cell  corresponding 
to  the  location  l.  The  second  is  a  persistent  nonterminal  ofcell  l  tp.  The  collection  of  ofcell  propo¬ 
sitions  introduced  by  a  generative  trace  collectively  plays  the  role  of  a  store  typing  in  [Pie02, 
Chapter  13]  or  a  signature  in  [Harl2,  Chapter  35].  This  promise-then-fulfill  pattern  appears  to 
be  an  significant  one,  and  it  can  be  described  quite  naturally  in  generative  signatures,  despite  be¬ 
ing  absent  from  work  on  regular-worlds-based  reasoning  about  LF  and  Linear  LF  specifications. 

9.4.1  Inversion 

When  we  add  mutable  state,  we  must  significantly  generalize  the  statement  of  inversion  lemmas. 
Derivations  and  expressions  now  exist  in  a  world  with  arbitrary  locations  FmutableJoc  that  are 
paired  with  persistent  propositions  ofcell  /  tp.9 

Lemma  (Inversion  -  Figure  9.6,  partial). 

1.  IfT  ::  (•;  x0:(gen  tp0)  ord )  ^Gm96  0^5  ©Meval  e)  ord}), 
then  T  =  {T'\  {y}  <—  gen/eval  tp  e  (; x '  •  !iV)), 

where  A  h  N  :  of  e  tp  true, 

T  ::  (•;  a:0:(gen  tp0)  ord)  ^Gen96  (4'';  ©{a;':  (gen  tp)  ord}), 
and  A  is  the  persistent  part  ofQ{x (gen  tp)  ord}. 

2.  IfT  ::  (-^(gen  tp0)  ord)  ^Gen96  (^;  0{r/i:(gen  tp')  ord ,  y2:(cont /)  ord}), 
then  T  =  (T';  {yi,y2}  <-  gen/cont  tp  f  tp'  {x'  •  IN)), 

where  'k;  A  h  :  off  /  tp'  tp  true, 

‘’This  purely  persistent  world  fits  the  pattern  of  regular  worlds.  As  such,  it  can  be  described  either  with  the  single 
rule  dtp.  {36  ofcell  l  tp}  or  with  the  equivalent  block  some  tp: typ  block  hmutableJoc,  x  :  (ofcell  l  tp)  pers. 
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Figure  9.5:  Back-patching,  with  judgments  ( ord  and  eph)  and  arguments  corresponding  to  implicit  quantifiers  elided 
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xo:(eval  rlet  /  =  (ref  Xx.Q)  in  let  x  =  (/  :=  A x.(lf)x)  in  en) 

{x\,X2}  «—  ev/letl  . . .  xo 

xi:(eval  rref  \x.()n),  X2:(cont  (letl  A/.  rletx  =  (/  :=  A x.(\f)x)  in  e”1)) 
{x3,  X4}  ev/ ref  . . .  x\ 


of cell :  mutable_loc  ->  typ  ->  prop  pers. 
gencell:  mutable_loc  ->  prop  lin. 

value/loc:  value  (loc  L) . 

of/loc:  of  (loc  L)  (reftp  Tp) 

<-  ofcell  L  Tp . 
of /ref :  of  (ref  E)  (reftp  Tp) 

<-  of  E  Tp . 
of /get:  of  (get  E)  Tp 

<-  of  E  (reftp  Tp) . 
of/set:  of  (set  El  E2)  unittp 
<-  of  El  (reftp  Tp) 

<-  of  E2  Tp. 

off/refl:  off  refl  Tp  (reftp  Tp) . 
off/getl:  off  getl  (reftp  Tp)  Tp . 
off/setl:  off  (setl  E)  (reftp  Tp)  unittp 
<-  of  E  Tp . 

off/set2:  off  (set2  L)  Tp  unittp 
<-  ofcell  L  Tp . 

gencell/promise:  {Exists  1.  lofcell  1  Tp  *  $gencell  1}. 
gencell/fulfill:  $gencell  L  *  lofcell  L  Tp  *  !of  V  Tp  *  lvalue  V 

>->  { $cell  L  V} . 

Figure  9.6:  Generative  invariant:  well-typed  mutable  storage 


T  ::  (•;  x0:(gen  tp0)  ord)  ^Gen96  0{x':(gen  tp)  ord}), 
and  A  is  the  persistent  part  ofQ{x':(  gen  tp)  ord}. 

3.  IfT  ::  (•;  x0: (gen  tp0)  ord)  ^Gen9  6  (’£;  ©{2/: (cell  Iv)  eph}), 
then  T  =  (T';  {y}  E-  gencell/fulfili  l  tpv  ( x ’  •  xt  •  ! N  •  \NV)), 
where  xt: (ofcell  l  tp)  pers  E  A,  T;  A  b  N  :  of  v  tp  true,  $;Ah  Nv  :  value  v  true, 

Tv.  (•;  x0:(gen  tp0)  ord)  ^Gen96  ('F/;  0{x':  (gencell  l)  eph}), 
and  A  is  the  persistent  part  ofQ{x (gencell  l)  eph}. 

Despite  complicating  the  statement  of  inversion  theorems,  the  addition  of  mutable  state  does 
nothing  to  change  the  structure  of  these  theorems.  The  new  inversion  lemma  (part  3  above) 
follows  the  pattern  established  in  Section  9.2.1. 

9.4.2  Uniqueness 

To  prove  that  our  generative  invariant  for  mutable  storage  is  maintained,  we  need  one  property 
besides  inversion;  we’ll  refer  to  it  as  the  unique  index  property.  This  is  the  property  that,  under  the 


255 


generative  signature  described  by  SGen9.6,  locations  always  map  uniquely  to  persistent  positive 
propositions  Xi:  ofcell  l  tp. 

Lemma  (Unique  indices  of  SGen9  6). 

1.  IfT  ::  (•;  x0:(gen  tp0)  ord )  ^hGen9.6  0^5  A)> 
x:  (ofcell  l  tp)  pers  G  A, 
and  2/:  (ofcell  l  tp')  pers  G  A, 
then  x  =  y  and  tp  =  tp'. 

Proof.  Induction  and  case  analysis  on  the  last  steps  of  the  trace  T.  □ 

9.4.3  Preservation 

As  it  was  with  inversion,  the  statement  of  preservation  is  substantially  altered  by  the  addition  of 
locations  and  mutable  state,  even  though  the  structure  of  the  proof  is  not.  In  particular,  because 
ofcell  is  a  persistent  nonterminal,  we  have  to  expressly  represent  the  fact  that  the  restriction 
operator  ('5;  A)(?  will  modify  the  context  A  by  erasing  the  store  typing. 

Theorem  9.4  (SGen9.6  is  a  generative  invariant).  lfT\  ::  (-;xo:(gen  tp0)  ord )  ('h;  A) 

and  S  ::  ( T :  A)')  ^  (  'I'':  A')  under  the  combined  signature  from  Figure  9.1  and  Figure  6.14, 
then  (fU;  A')  =  (T';  A'')1}  for  some  A"  such  that  T2  ::  (•;  x0:(gen  tp0)  ord )  '^^Gen,l  6  ('b';  A"). 

(•;  x0:(gen  tp0)  ord ) 

^  Gen  9 .6  \ 

{V'lA") 

/////// 

- ♦  'li;:A;) 

Proof.  As  always,  the  proof  proceeds  by  enumeration,  inversion,  and  reconstruction.  The  only 
interesting  cases  are  the  three  that  actually  manipulate  state,  corresponding  to  ev/refl,  ev/getl, 
and  ev/set2.  Recall  these  three  rules  from  Figure  6.14: 

ev/refl :  retn  V  *  cont  ref 1 

>->  {Exists  1.  $cell  1  V  *  retn  (loc  1)}. 
ev/getl:  retn  (loc  L)  *  cont  getl  *  $cell  L  V 
>->  {retn  V  *  $cell  L  V}. 
ev/set2:  retn  V2  *  cont  (set2  L)  *  $cell  L  _ 

>->  {retn  unit  *  $cell  L  V2 } . 

Reasoning  about  the  last  two  cases  is  similar,  so  we  only  give  the  cases  for  ev/ref  and  ev/getl 
below. 

Case  {/,  y  1,1/2}  ev/refl  v  (aq  •  xf) 

::  (T;  ©{ag: (retn  v)  ord,  x2: (cont  ref  1)  ord}) 

(T,  /:mutable_loc;  ©{2/1 : (cell  l  v)  eph,  r/2:(retn  (loc /))  ord}) 


•;  a:0:(gen  tp0)  ord ) 


J  Gen9 .6 


(®;A) 

/////// 

(*;A)* 
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T\  ::  (•;  x0:(gen  tp0)  ord )  ('I';  0'{xi:(retn  v)  ord ,  x2:(cont  refl)  ord })  for  some  0' 

such  that,  for  all  S,  ('k;  ©'{S})'?  =  (vk;  ©{S'?}).  Applying  inversion  to  Ti,  we  have 

Ti=  (■;  x0:(gen  tp0)  ord) 

V 

(\k;  ©'{x':(gen  tp)  ord}) 

{x},x2}  gen/cont  tp  refl  ip'  (V  •  IN) 

('k;  O' {x[: (gen  tp')  ord,  x2:(cont  refl)  ord}) 

{xi}  gen/retn  v  (x[  •  \Ni  •  !A„i) 

('k;  ©'{xi^retn  v)  ord,  x2:(cont  refl)  ord}) 

where  A  contains  the  persistent  propositions  from  ©'  and  where 

•  'k;  A  h  N  :  off  refl  tp'  tp  true.  By  traditional  inversion  we  know  tp  =  reftp  tp'  and 
N  =  off /refl  tp'. 

•  'k;  A  b  Ni  :  of  v  tp'  true. 

•  'k;  A  b  Nvi  :  value  v  true. 

We  can  use  T'  to  construct  T2  as  follows: 

T2  =  (•;  x0: (gen  tp0)  ord) 

V 

('k;  ©'{x'^gen  (reftp  tp'))  ord}) 

{l,  z,y(}  -e-  gencell/promise  tp' 

{ki}  gencell/fulfill  l  tp'  v  (y'1  •  z  •  \N\  •  \NV  1) 

('k,  /:mutableJoc; 

0'{z:(ofce\\l  tp')  pers,  2/1:  (cell  l  v)  eph,  x':  (gen  (ref  tp'))  ord}) 

{2/2}  <—  gen/retn  (reftp  tp')  (loc Z)  (x'  •  !(of/loc/  tp'  z)  •  !(value/loc /)) 

('k,  /:mutable_loc; 

O' {z: (ofceW  l  tp')  pers,  2/1: (cell  l  v)  eph,  x':(retn  (loc  l))  ord}) 

Restriction  removes  the  persistent  nonterminal  z:(ofcell  l  tp')  pers  from  the  context,  so  the 
restriction  of  T2’s  output  is  (\k,  Z:mutable_loc;  0{yp.  (cell  l  v)  eph,  y2:(retn  (loc/))  ord}) 
as  required. 

Case  {2/1, 2/2}  ev/getl  Iv  (x  1  •  x2  •  X3) 

::  ('k;  @{xi:(retn  (loc /))  ord,  x2:(contgetl)  ord,  x3: (cel I  Iv)  eph}) 

('k;  0{7/i:(retn  v)  ord,  y2\(ce\\lv)  eph}) 

Ti  ::  (•; x0:(gen  tpQ)  ord) 

*  (vk;  0'{xi:(retn  (loc l))  ord,  x2:(contgetl)  ord,  x3:(cell  Iv)  eph}) 
for  some  ©'  such  that,  for  all  S,  (\k;  ©'{S})'?  =  ('k;  ©{S'?}).  Applying  inversion  to  T), 
we  have 

Ti=  (•;  x0:(gen  tp0)  ord) 

V 

('k;  0'{x':(gen  tp)  ord,  x'3:(gence\\l)  eph}) 

{x3}  <—  gencell/fulfill  /  tp'  v  (x'3  •  z\  •  \N3  •  \NV 3) 
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gencount/f inalize :  $gencount  N  >->  {$counter  N} . 


gencell/promise:  $gencount  N 

>->  {Exists  1. 

lofcell  1  Tp  *  $gencell  IN*  $gencount  (s  N) } . 

gencell/fulfill:  $gencell  L  N  *  lofcell  L  Tp  *  !of  V  Tp  *  lvalue  V 

>->  { $cell  L  N  V} . 

Figure  9.7:  Generative  invariants  for  cells  with  unique  natural-number  tags 

(*;  ©'{  x':(gen  tp)  ord,  : (cel I Z  t;)  eph}) 

{x'1,x2}  G-  gen/cont  tp  getl  tp"  ( x '  •  \N2) 

{xi}  <-  gen/retn  tp"  (lo cl)  (x[  •  \Ni  •  \Nvi) 

(\b;  @{xi:(retn  (loc/))  ord,  x2:(cont  getl)  ord ,  x2:(ce\\lv)  eph}) 

where  A  contains  the  persistent  propositions  from  O'  and  where 

•  T;  A  b  N2  :  off  getl  tp"  tp  true.  By  traditional  inversion  we  know  tp"  =  reftp  tp 
and  N2  =  off /getl  tp. 

•  b;A  I-  iVi  :  of  (loc /)  (reftp  tp)  true.  By  traditional  inversion  we  know  N±  = 
of/loc  /  tp  x"  where  x'/^ofcell  l  tp)  pers  G  A. 

•  x'3:(ofcell  /  tp')  pers  G  A. 

•  'b;  A  h  iV3  :  of  v  tp'  true. 

•  'b;  A  b  N$v  :  valuer;  true. 

By  the  uniqueness  lemma,  we  have  that  3^2  —  OC  -j^  and  tp'  =  tp.  Therefore,  we  can  use  V 
to  construct  T2  as  follows: 

Ti  =  (•;  x0:(gen  tp0)  ord) 

T 

(T;  ©'{x'^gen  tp)  ord ,  x^gencell  l)  eph}) 

{1/2}  gencel  l/fu  Ifi  1 1 1  tp  v  (x'3  •  z\  •  \N3  •  \NV  3) 

(T;  ©'{x'^gen  tp)  ord,  y2:(ce\\  l  v)  eph}) 

{yi}  <—  gen/retn  tpv(x'  •  !iV3  •  !iV„3) 

(\b;  &'{yi. (retn  v)  ord,  y2:(ce\\ l  v)  eph}) 

('b;  ©{jq^retn  (loc  l),y2\ (cell  l  v)  eph)  ord})  is  the  restriction  of  T2  s  output,  as  required. 
The  other  cases,  notably  ev/set2,  follow  the  same  pattern.  □ 


9.4.4  Revisiting  pointer  inequality 

As  we  discussed  in  Section  6.5.1,  the  fact  that  SLS  variables  cannot  be  directly  checked  for 
inequality  complicates  the  representation  of  languages  that  can  check  for  the  inequality  of  loca¬ 
tions.  One  way  of  circumventing  this  shortcoming  is  by  keeping  a  runtime  counter  in  the  form  of 
an  ephemeral  atomic  proposition  count  n  that  counts  the  number  of  currently  allocated  cells;  the 
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gen:  typ  ->  dest  ->  prop  lin. 


gen/dest:  {Exists  d:dest.  one}, 
gen/eval:  $gen  T  D  *  ! of  E  T  >->  {$eval  E  D}. 
gen/retn:  $gen  T  D  *  ! of  V  T  *  lvalue  V  >->  {$retn  V  D}. 
gen/cont:  $gen  T  D  *  loff  F  T'  T 

>->  {Exists  d' .  gen  T'  d'  *  $cont  F  d'  D} . 

Figure  9.8:  Generative  invariant:  destination-passing  (“obvious”  formulation) 


rule  ev/refl  that  allocates  a  new  cell  must  be  modified  to  access  and  increment  this  counter  and 
to  attach  the  counter’s  value  to  the  new  cell.  Inequality  of  those  natural  number  tags  can  then  be 
used  as  a  proxy  for  inequality  of  locations. 

A  generative  signature  like  the  one  in  Figure  9.7  could  be  used  to  represent  the  invariant 
that  each  location  and  each  cell  is  associated  with  a  unique  natural  number.  The  techniques 
described  in  this  chapter  should  therefore  be  sufficient  to  describe  generative  invariants  of  SSOS 
specifications  that  implement  pointer  inequality  in  this  way. 


9.5  Destination-passing 

Destination-passing  style  specifications,  as  discussed  in  Chapter  7,  are  not  a  focus  of  this  dis¬ 
sertation,  but  they  deserve  mention  for  two  reasons.  First,  they  are  of  paramount  importance 
in  the  context  of  the  logical  framework  CLF,  a  framework  that  lacks  SLS’s  notions  of  order. 
Second,  the  work  of  Cervesato  and  Sans  [CS13]  is  the  most  closely  related  work  on  describing 
progress  and  preservation  properties  for  SSOS-like  specifications;  their  work  closely  resembles 
a  destination-passing  specification.  As  such,  the  preservation  property  given  in  this  section  can 
be  viewed  an  encoding  of  the  proof  by  Cervesato  and  Sans  in  SLS. 

In  this  section,  we  will  work  with  an  operational  semantics  derived  from  the  signature  given 
in  Figure  7.5  (sequential  evaluation  of  function  application)  in  Chapter  7.  To  use  sequential 
application  instead  of  parallel  evaluation  of  function  application,  we  will  need  to  give  different 
typing  rules  for  frames: 

off/appl:  off  appl  Tp  (appl  E)  (arr  Tp'  Tp)  Tp 
<-  of  E  Tp' . 

off/app2:  off  (app2  \x.  E  x)  Tp'  Tp 

<-  (All  x.  of  x  Tp'  ->  of  (E  x)  Tp) . 

Other  than  this  change,  our  deductive  typing  rules  stay  the  same. 

When  we  move  from  ordered  abstract  machines  to  destination-passing  style,  the  most  natural 
adaptation  of  generative  invariants  is  arguably  the  one  given  in  Figure  9.8.  In  that  figure,  the  core 
nonterminal  is  the  mobile  proposition  gen  tp  d.  The  rule  gen/dest,  which  creates  destinations 
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gen:  typ  ->  dest  ->  prop  lin. 
gendest :  dest  ->  dest  ->  prop  lin. 

dest/promise :  {Exists  d' .  $gendest  d'  D}. 
dest/unused:  ($gendest  D'  D)  >->  {one}. 

gen/eval:  $gen  Tp  D  *  !of  E  Tp  >->  {$eval  E  D}. 
gen/retn:  $gen  Tp  D  *  !of  V  Tp  *  lvalue  V  >->  {$retn  V  D}. 
gen/cont :  $gen  Tp  D  *  loff  F  Tp'  Tp  *  $gendest  D'  D 
>->  {$gen  Tp'  D'  *  $cont  F  D'  D}. 

Figure  9.9:  Generative  invariant:  destination-passing  (modified  formulation) 


freely,  is  necessary,  as  we  can  see  from  the  following  sequence  of  process  states: 

(do'- dest;  xi:(eval  r(Xx.e )  e2n  d0 )  eph )  ^ 

(d0:dest,  di'.dest]  x2:(eval  r(\x.e)~i  d\)  eph ,  a:3:(cont  (appl  re2n)  di  d0)  eph)  ^ 
(d0:dest,  digest;  ^(retn  r(Ax.e)n  d\)  eph ,  x3:(cont  (appl  re2n)  di  d0)  eph)  ^ 
(d0:dest,  dp. dest,  d2:dest;  ^(eval  re2n  d2)  eph,  ^(cont  (app2  rXx.e~')  d2  do)  eph)  . . . 

In  the  final  state,  d.\  is  isolated,  no  longer  mentioned  anywhere  else  in  the  process  state,  so 
gen /dest  must  be  used  in  the  generative  trace  showing  that  the  last  state  above  is  well-typed. 

We  will  not  use  the  form  described  in  Figure  9.8  in  this  chapter,  however.  Instead,  we  will 
prefer  the  presentation  in  Figure  9.9.  There  are  two  reasons  for  this.  First  and  foremost,  this 
formulation  meshes  better  with  the  promise-then-fulfill  pattern  that  was  necessary  for  state  in 
Figure  9.6  and  that  is  also  necessary  for  continuations  in  Section  9.6  below.  As  a  secondary 
consideration,  using  the  first  formulation  would  require  us  to  significantly  change  the  structure 
of  our  inversion  lemmas.  In  previous  inversion  lemmas,  proving  that  gen/cont  could  always 
be  rotated  to  the  end  of  a  generative  trace  was  simple,  because  it  introduced  no  LF  variables 
or  persistent  nonterminals.  The  gen/cont  rule  in  Figure  9.8  does  introduce  an  LF  variable  d! , 
invalidating  the  principle  used  in  Section  9.2.1. 

The  dest/promise  rule  in  Figure  9.9  is  interesting  in  that  it  requires  each  destination  d!  to 
be  created  along  with  foreknowledge  of  the  destination,  d,  that  the  destination  d!  will  return  to. 
This  effectively  forces  all  the  destinations  into  a  tree  structure  from  the  moment  of  their  creation 
onwards,  a  point  that  will  become  important  when  we  modify  Figure  9.9  to  account  for  persistent 
destinations  and  first-class  continuations.  The  root  of  this  tree  is  the  destination  d0  that  already 
exists  in  the  initial  process  state  (d0:dest;  x0:(gen  tp0  d0)  eph). 

9.5.1  Uniqueness  and  index  sets 

One  consequence  of  the  way  we  use  the  promise-then-fulfill  pattern  in  this  specification  is  that 
our  unique  index  property  becomes  conceptually  prior  to  our  inversion  lemma. 

Lemma  (Unique  indices  of  S(3en5.9). 
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1.  IfT  ::  (eldest;  x0: (gen  tp0d0)  eph)  ^Gen9g 
x:(gendest  ddf)  eph  E  A,  and  y:(gendest  dd2)  eph  E  A, 
then  x  =  y  and  d\  =  d2. 

2.  IfT  ::  (eldest;  a;0:(gen  tp0  d0)  eph)  ^Gen9  g  (^;A), 
x:(gendest  ddf)  eph  E  A,  andyfgen  tpd)  eph  E  A, 
then  there  is  a  contradiction. 

3.  IfT  ::  (d0:dest;  x0:(gen  tp0  d0)  eph)  ^Gen9  9  (tf;A), 
x:(gendest  ddf)  eph  E  A,  and  y:(contf  dd!)  eph  E  A, 
then  there  is  a  contradiction. 

4.  IfT  ::  (eldest;  x0:(gen  tp0  d0)  eph)  ^Gen9 ,9 

a;:  (gen  tp1  d)  eph  E  A,  and  y:( gen  tp2  d)  eph  E  A, 
then  x  =  y  and  tpx  =  tp2. 

5.  IfT  ::  (oddest;  x0:(gen  tp0  d0)  eph)  ^Gen9 ,9 
x:(cont  /}  ddf)  eph  E  A,  and  y.  (cont  f2dd2)  eph  E  A, 
then  x  =  y,  fi  =  f2,  and  d\  =  d2. 

Proof.  Induction  and  case  analysis  on  last  steps  of  the  trace  T;  each  part  uses  the  previous  parts 
(parts  2  and  3  use  part  1,  and  parts  4  and  5  use  parts  2  and  3).  □ 

This  lemma  is  a  lengthy  way  of  expressing  what  is  ultimately  a  very  simple  property:  that 
the  second  position  of  gendest  is  a  unique  index  and  that  it  passes  on  that  unique  indexing  to  the 
second  position  of  gen  and  the  second  position  of  cont. 

Definition  9.5.  A  set  S  is  a  unique  index  set  under  a  generative  signature  E  and  an  initial  state 
('h;  A)  if,  whenever 

*  a  /i  E  S, 

*  b/j  E  S, 

*  (*;A)^*  ('5/;  A'), 

*  x:(a  ti . . .  tn )  Ivl  E  A',  and 

*  yfbsi . . .  sm)  Ivl'  E  A', 

it  is  the  case  that  tt  =  Sj  implies  x  =  y.  Of  course,  if  x  =  y,  that  in  turn  implies  that  a  =  b, 
i  =  j,  n  =  m,  tk  =  Skfor  1  <  k  <  n,  and  Ivl  =  Ivl'. 

The  complicated  lemma  above  can  then  be  captured  by  the  dramatically  more  concise  state¬ 
ment:  (gendest/1,  gen/2}  and  (gendest/1,  cont/2}  are  both  unique  index  sets  under  the  signa¬ 
ture  E Gen9.9  and  the  initial  state  (d0:dest;  x0:(gen  tp0d0)  eph).  In  fact,  we  can  extend  the  first 
unique  index  set  to  (gendest/1,  gen/2,  eval/2,  retn/2}.  Stating  that  (gendest/1,  gen/2}  was  a 
unique  index  property  previously  required  3  distinct  statements,  and  it  would  take  10  distinct 
statements  to  express  that  (gendest/1,  gen/2,  eval/2,  retn/2}  is  a  unique  index  property.10  The 

10Four  positive  statements  (similar  to  parts  1,  4,  and  5  of  the  lemma  above)  along  (/)  =  6  negative  ones  (similar 
to  parts  2  and  3  of  the  lemma  above). 
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unique  index  property  for  cells  (Section  9.4.2)  can  be  rephrased  by  saying  that  {ofcell/1}  is  a 
unique  index  set;  {gencell /l,  cell/1}  is  also  a  unique  index  set  in  that  specification. 

It’s  also  possible  for  unique  index  sets  to  be  simply  (and,  presumably,  mechanically)  checked. 
This  amounts  to  a  very  simple  preservation  property. 

9.5.2  Inversion 

Lemma  (Inversion  -  Figure  9.9). 

1.  IfT  ::  (eldest;  x0:(gen  tpQ  d0)  eph)  ^Gen99  ('F;  0{?/:(eval  ed)  eph}), 
then  T  =  {T'\  {y}  •<—  gen/eval  tpde  (x'  •  IN)), 

where  \F;  A  h  N  :  of  e  tp  true, 

T  ::  (eldest;  x0:(gen  tp0d0)  eph)  ^Gen99  ('F;  ©{a;': (gen  tp  d)  eph}), 
and  A  is  the  persistent  part  ofQ{x (gen  tp  d)  eph}. 

2.  IfT  ::  (eldest;  x0:(gen  tp0d0)  eph)  ^sGen9 ,9  0^5  0{y:(retn  v  d)  eph}), 
then  T  =  (T';  {y}  gen/retn  tpdv  (x'  •  \N  •  \NV)), 

where  \F;  A  h  N  :  of  e  tp  true,  \F;  A  h  Nv  :  value  v  true, 

T  ::  (eldest;  x0:(gen  tp0d0)  eph)  ^Gm9J)  0^5  ©{^{gen  tp  d)  eph}), 
and  A  is  the  persistent  part  ofQ{x':(  gen  tp  d)  eph}. 

3.  IfT  ::  (d0:dest;  Xofgen  tp0d0)  eph) 

Gen9.9  (^;  ®{yi:(gentp' d')  eph,  y2:{cont  f  d’ d)  eph}), 

then  T  =  (T';  {yi,y2}  gen/cont  tp  d  f  tp' d'  (x'  •  ! N  •  z )), 
where  \F;  A  h  N  :  off  e  tp'  tp  true, 

T'  ::  (d0:dest;  a:0:(gen  tp0d0)  eph) 

Gen9.9  (^;  ©{x':(gen  tp  d)  eph,  «:(gendest  d' d)  eph}), 

and  A  is  the  persistent  part  ofQ{x':(  gen  tp  d)  eph,  z:(gendest  d!  d)  eph}. 


Proof.  As  with  other  inversion  lemmas,  each  case  follows  by  induction  and  case  analysis  on  the 
last  steps  of  T.  The  trace  cannot  be  empty,  so  T  =  T";  S  for  some  T"  and  S,  and  we  let  Var  be 
the  set  of  relevant  variables  {y}  in  parts  1  and  2,  and  {y, ,  y2 }  in  part  3. 

If  0  =  5*  fl  Var,  the  proof  proceeds  by  induction  as  it  did  in  Section  9.2.1. 

If  S*  D  Var  is  nonempty,  then  we  must  again  show  by  case  analysis  that  S*  =  Var  and  that 
furthermore  S  is  the  step  we  were  looking  for.  As  before,  this  is  easy  for  the  unary  grammar 
productions  where  Var  is  a  singleton  set:  there  is  only  one  rule  that  can  produce  an  atomic 
proposition  eval  ed  or  retn  v  d. 

When  Var  is  not  a  singleton  (which  only  happens  in  part  3  for  this  lemma),  we  must  use  the 
unique  index  property  to  reason  that  if  there  is  any  overlap,  that  overlap  must  be  total. 

*  Say  S  =  {2/1 ,  y'f}  gen/cont  tp  d"  f"  tp' d'  (x'  •  \N  •  z). 

Then  the  final  state  contains  y2:(cont  /  d!  d)  eph  and  y/:(cont  f"  d!  d")  eph.  The  shared  d' 
and  the  unique  index  property  ensures  that  y2  =  iff  f  =  f",  and  d  =  d" . 
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*  Say  S  =  {?//,  y2)  gen/cont  tp  d  f  tp'"  d'  (x'  •  \N  •  z ). 

Then  the  final  state  contains  7/1:  (gen  tp' d')  eph  and  y":(gen  tp"'  d')  eph.  The  shared  d'  and 
the  unique  index  property  ensures  that  yx  =  y'[  and  tp'  =  tp'". 


Therefore,  S  =  {yi,  y2}  <—  gen/cont  tp  d  f  tp' d'  ( x '  •  \N  •  z ). 


□ 


9.5.3  Preservation 

As  we  once  again  have  no  persistent  nonterminals,  we  can  return  to  the  simpler  form  of  the 
preservation  theorem  used  in  Theorem  9.2  and  Theorem  9.3  (compared  to  the  more  complex 
formulation  needed  for  Theorem  9.4). 

Theorem  9.6  ( TjGen9.9  is  a  generative  invariant).  IfT\  ::  (d0:dest;  x0:(gen  tp0  d0)  eph ) 

(\P;  A)  and  there  is  a  step  S  ::  ('P;  A)')  ^  AP':  A')  under  the  signature  from  Figure  7.5,  then 
T2  ::  (d0: dest;x0:(gen  tp0  d0)  eph)  ^lGen99  ('P';  A'). 


Proof.  As  usual,  we  enumerate  the  synthetic  transitions  possible  under  the  signature  in  Fig¬ 
ure  7.5,  perform  inversion  on  the  structure  of  Tu  and  then  use  the  results  of  inversion  to  construct 
T2.  We  give  one  illustrative  case. 

Case  {d2,  yi,  y2}  <—  ev/appl  ( Xx.e )  d\  e2  d  ( x\  •  x2) 

::  (T;  @{xi:  (retn  (lam  Xx.e)  df)  eph,  x2:(cont  (appl  e2)  d\  d)  eph}) 

^  (T,  d2:dest;  ©{t/! : (eval  e2  d2)  eph,  y2:(cont  (app2  Xx.e)  d2  d)  eph}) 

Applying  inversion  (Part  2,  then  Part  3)  to  T),  we  have 

Ti  =  (d0: dest;  x0:(gen  tp0d0)  eph) 

V 

(\P;  @{x':(gen  tp  d)  eph,  zp.  (gendest  dxd)  eph}) 

{x^,  x2}  gen/cont  tp  d  (appl  e2)  tp'  d\  (x'  •  !A2  •  xi) 

(T;  Q {x}: (gen  tp' di)  eph,  x2:(cont  (appl  e2)  d\  d)  eph}) 

{xi}  gen/retn  tp'  d\  v  ( x }  •  ! Ni  •  \Nvl) 

(T;  @{xi:(retn  (lam  Ax.e)  df)  eph,  x2:(cont  (appl  e2)  did)  eph}) 

where  A  contains  the  persistent  propositions  from  0  and  where 

•  'P ;  A  h  N2  :  off  (appl  e2)  tp'  tp  true.  By  traditional  inversion  we  know  there  exists 
tp"  and  N'2  such  that  tp’  =  arr  tp"  tp  and  T:  A  h  A/  :  of  e2  tp"  true. 

•  T;A  h  Ni  :  of  (lam  Ax.e)  arr  tp' tp  true.  By  traditional  inversion  we  know  there 
exists  N[  where  \P,  x:exp;  A,  dx  :  (of  x  tp')  pers  h  N[  :  of  e  tp  true. 

We  can  use  V  to  construct  T2  as  follows: 
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of future:  exp  ->  typ  ->  prop  pers . 
genfuture:  dest  ->  exp  ->  prop  lin. 

of/future:  of  X  Tp  <-  offuture  X  Tp . 

future/promise:  {Exists  d.  Exists  x.  $genfuture  d  x  *  loffuture  x  Tp} . 

future/compute:  $genfuture  D  X  *  loffuture  X  Tp 

>->  {$gen  Tp  D  *  $promise  D  X}. 

future/bind:  $genfuture  D  X  *  loffuture  X  Tp  *  lof  V  Tp  *  lvalue  V 

>->  { 1  bind  XV}. 

Figure  9.10:  Generative  invariant:  futures 
T2  =  (d0: dest;  ay,:  (gen  tp0d0)  eph ) 

T 

(\F;  Q {x': (gen  tp  d)  eph,  zp  (gendest  did)  eph}) 

{}  <(—  dest/unused  d\  d z\ 

{d2,z2}  k—  dest/promised 

(^,d2: dest;  Q{x':(gen  tp  d)  eph,  o2:(gendest  d2  d)  eph}) 

{y{,  y2}  k—  gen/cont  tp  d  (app2Ax.e)  tp"  d2 

(x1  •  !(off/app2  tp"  (Xx.e)  tp  ( Xx ,  dx.  \N[))  •  z2) 

G?2:dest;  Q {y'p.  (gen  tp"  d2)  eph,  j/2:(cont  (app2  Xx.e)  d2  d)  eph}) 

{Vi,  1/2}  <-  gen/eval  tp"  d2e2  (y\  •  !^) 

<i2:dest;  0{yp.(e\/a\e2d2)  eph,  y2:(cont  (app2  Ax.e)  d2  d)  eph}) 


The  other  cases  follow  the  same  pattern.  □ 

9.5.4  Extensions 

Generative  invariants  for  parallel  evaluation  (Figure  7.6)  and  the  alternate  semantics  of  paral¬ 
lelism  and  failure  (Figure  7.7)  as  described  in  Section  7.2.1  are  straightforward  extensions  of  the 
development  in  this  section.  Synchronization  (Section  7.2.2)  and  futures  (Section  7.2.3)  are  a 
bit  more  interesting  from  the  perspective  of  generative  invariants  and  preservation.  Figure  9.10 
is  one  proposal  for  a  generative  invariant  for  our  SLS  encoding  of  futures,  but  we  leave  further 
consideration  for  future  work. 


9.6  Persistent  continuations 

The  final  specification  style  we  will  cover  in  detail  is  the  use  of  persistent  continuations  as  dis¬ 
cussed  in  Section  7.2.4  as  a  way  of  giving  an  SSOS  semantics  for  first-class  continuations  (Fig¬ 
ure  7.11).  The  two  critical  rules  from  Figure  7.11  are  repeated  below:  ev/letcc  captures  the 
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gen:  prop  lin. 

ofdest:  dest  ->  typ  ->  prop  pers . 
gendest :  dest  ->  dest  ->  prop  lin. 

value/contn:  value  (contn  D) . 

of/letcc:  of  (letcc  \x.  E  x)  Tp 

<-  (All  x.  of  x  (conttp  Tp)  ->  of  (E  x)  Tp) . 
of/contn:  of  (contn  D)  (conttp  Tp) 

<-  ofdest  D  Tp . 

of/throw:  of  (throw  El  E2)  Tp' 

<-  of  El  Tp 

<-  of  E2  (conttp  Tp) . 

off/throwl:  off  (throwl  E2)  Tp  Tpx 
<-  of  E2  (conttp  Tp) . 

off/throw2:  off  (throw2  VI)  (conttp  Tp)  Tpx 
<-  of  VI  Tp 
<-  value  VI . 

dest/promise :  {Exists  d'  .  $gendest  d'  D  *  ! ofdest  d'  Tp' } . 
dest/fulf ill :  $gendest  D'  D  * 

!off  F  Tp'  Tp  *  ! ofdest  D'  Tp'  *  ! ofdest  D  Tp 
>->  { ! cont  F  D'  D } . 

gen/eval:  $gen  *  lofdest  D  Tp  *  !of  E  Tp  >->  {eval  E  D}. 
gen/retn:  $gen  *  lofdest  D  Tp  *  ! of  V  Tp  *  lvalue  V  >->  {retn  V  D}. 

Figure  9.11:  Generative  invariant:  persistent  destinations  and  first-class  continuations 


destination  representing  the  current  continuation  and  the  rule  ev/throw2  throws  away  the  contin¬ 
uation  represented  by  d-2  and  throws  computation  to  the  continuation  represented  by  the  dk. 

ev/letcc:  $eval  (letcc  \x.  E  x)  D  >->  {$eval  (E  (contn  D) )  D}. 

ev/throw2 :  $retn  (contn  DK)  D2  *  1 cont  (throw2  VI)  D2  D 
>->  { $retn  VI  DK} . 

While  the  setup  of  Figure  9.9  is  designed  to  make  the  transition  to  persistent  continuations  and 
letcc  seem  less  unusual,  this  section  still  represents  a  radical  shift. 

It  should  not  be  terribly  surprising  that  the  generative  invariant  for  persistent  continuations 
is  rather  different  than  the  other  generative  invariants.  Generative  invariants  capture  patterns 
of  specification,  and  we  have  mostly  concentrated  on  patterns  that  facilitate  concurrency  and 
communication.  Persistent  continuations,  on  the  other  hand,  are  a  pattern  mostly  associated  with 
first-class  continuations.  There  is  not  an  obvious  way  to  integrate  continuations  and  parallel  or 
concurrent  evaluation,  and  the  proposal  by  Moreau  and  Ribbens  in  [MR96]  is  not  straightforward 
to  adapt  to  the  semantic  specifications  we  gave  in  Chapter  7. 
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Consider  again  the  gendest/ promise  rule  from  Figure  9.9.  The  rule  consumes  no  nontermi¬ 
nals  and  is  the  only  rule  introducing  LF  variables,  so  any  T  ::  (d0:dest;  xofgen  tp0  d0)  eph ) 

(\F ;  A)  under  TGen9.9  can  be  factored  into  two  parts  T  =  Ti;  T2  where  T\  contains  only  steps 
that  use  gendest/promise.  The  computational  effect  of  Theorem  9.6  is  that  Ti  grows  to  track 
the  tree- structured  shape  of  the  stack,  both  past  and  present.  We  could  record,  if  we  wanted  to, 
the  past  structure  of  the  control  stack  by  adding  a  persistent  nonterminal  ghostcont  f  d' d  and 
modifying  dest/ unused  in  Figure  9.9  as  follows: 

dest/unused:  $gendest  D'  D  >->  {Ighostcont  F  D'  D}. 

Once  we  make  the  move  to  persistent  continuations,  however,  there’s  no  need  to  create  a  ghost 
continuation,  we  can  just  have  the  rule  dest/unused  (renamed  to  dest/fulfill  in  Figure  9.1 1)  create 
the  continuation  itself.  To  make  this  work,  dest/ promise  predicts  the  type  that  will  be  associated 
with  a  newly-generated  destination  d  by  generating  a  persistent  nonterminal  of  dest  d  tp.  (This 
is  just  like  how  gencell/promise  in  Figure  9.6  predicts  the  type  of  a  location  l  by  generating 
a  persistent  nonterminal  ofcell  1  tp.)  Then,  dest/fulfill  checks  to  make  sure  that  the  generated 
continuation  frame  has  the  right  type  relative  to  the  destinations  it  connects. 

Taken  together,  the  rules  dest/promise  and  dest/fulfill  rules  in  Figure  9.11  create  a  tree- 
structured  map  of  destinations  starting  from  an  initial  destination  d0  and  an  initial  persistent 
atomic  proposition  ofdest  d{]  tp0,  and  the  dest/fulfill  rule  ensures  that  every  destination  on  this 
map  encodes  a  specific  and  well-typed  stack  of  frames  that  can  be  read  off  by  following  des¬ 
tinations  back  to  the  root  d0.  The  initial  ofdest  proposition  takes  over  for  the  mobile  proposi¬ 
tion  gen  tp0  do  that  formed  the  root  of  our  tree  in  all  previous  specifications.  The  mobile  gen 
nonterminal  no  longer  needs  indices,  and  just  serves  to  place  a  single  eval  or  retn  somewhere 
on  the  well-typed  map  of  destinations.  The  initial  state  of  our  generative  traces  is  therefore 
(d0:dest;  x0:(ofdest  d0  tp0)  pers ,  z:{ gen)  eph)-,  this  is  reflected  in  the  the  preservation  theorem. 

Lemma  (Unique  indices  of  TjOen9.ii)-  Both  {ofdest/1}  and  (gendest/1,  cont/2}  are  unique 
index  sets  under  the  initial  state  (d0:dest;  xq\  (ofdest  do  tp0)  pers ,  z:( gen)  eph)  and  the  signature 

Toen9. 11- 

Proof  Induction  and  case  analysis  on  the  last  steps  of  a  given  trace.  Q 

Lemma  (Inversion  -  Figure  9. 1 1). 

1.  IfT  ::  (d0:dest;  xo: (ofdest  do  tp0)  pers,  z:{geri)  eph)  n  (\F;  @{r/:(eval  e  d)  eph}), 

then  T  =  (T';  {y}  gen/eval  dtp  e{z!  •  x  •  IN)), 

where  x:  (ofdest  d  tp)  pers  G  A,  'F;  A  h  N  :  of  e  tp  true, 

T'  ::  (d0: dest;  x0: (ofdest  d0  tp0)  pers,  z:{ gen)  eph)  ^vGen911  (^;  0{V:(gen)  eph}), 
and  A  is  the  persistent  part  of(\ F;  0{V:(gen)  eph}). 

2.  IfT  ::  (d0:  dest;  x0:  (ofdest  d0  tp0)  pers,  z:(gen)  eph)  ^Gen9  u  ('5;  0{r/:(retn  v  d)  eph}), 
then  T  =  (T';  {y}  gen/retn  d  tp  v  {z'  •  x  •  \N  •  \NV)), 

where  x: (ofdest  d  tp)  pers  G  A,  'F;  A  h  N  :  of  v  tp  true,  'F;  A  h  N  :  valuer;  true, 

T'  ::  (d0:dest;  x0: (ofdest  d0  tp0)  pers,  z:( gen)  eph)  ^*Y,Gsn9A1  0{^:(gen)  eph}), 
and  A  is  the  persistent  part  of  ('F ;  @-{V:(gen)  eph}). 
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3.  IfT  ::  (eldest;  x0:(ofdest  d0  tp0)  pers,  z:(ger\)  eph) 

Gen9.il  ®{y:(cont  f  d' d)  pers}), 
then  T  =  (T';  {y}  «—  dest/fulfill  cl' d  f  tp'  tp  ( y '  •  \N  •  x'  •  x )), 

where  a:':(ofdest  d'  tp')  pers  G  A,  x:(ofdest  d  tp)  pers  6  A,  $;Ah  N  :  off  f  tp'  tp  true 
T'  ::  ((i0:dest;  Xo:(ofdest  tp o)  pers,  z: (gen)  eph ) 

Gen9.il  (^5  QW:  (gendest  d!  d)  eph}), 
and  A  is  the  persistent  part  off k;  ©-{V:  (gendest  d’ d)  eph}). 

Proof.  Induction  and  case  analysis  on  last  steps  of  the  trace  T;  each  case  is  individually  quite 
simple  because  Var  is  always  a  singleton  {y}.  While  we  introduce  a  persistent  atomic  proposi¬ 
tion  cont  in  part  3,  the  step  that  introduces  this  proposition  can  always  be  rotated  to  the  end  of 
a  trace  because  cont  propositions  cannot  appear  in  the  input  interface  of  any  step  in  under  the 
generative  signature  TjGen9.ii-  This  is  a  specific  property  of  TGeny.  1 1 ,  but  it  also  follows  from 
the  definition  of  generative  signatures  (Definition  9.1),  which  stipulates  that  transitions  enabled 
by  a  generative  signature  cannot  consume  or  mention  terminals  like  cont. 

As  an  aside,  z  will  always  equal  z'  in  parts  1  and  2,  but  we’ll  never  need  to  rely  on  this 
fact.  □ 


Theorem  9.7  ( Toen9.ii  is  a  generative  invariant). 

IfTi  ::  (eldest;  x0:(ofdest  d0  tp0)  pers,  z:  (gen)  eph)  n  (vk;  A)  and  S  ::  ('k;A)'7'^ 

('k';  A')  under  the  signature  from  Figure  7.2.4,  then  ('k/;  A')  =  ('■V:  A  for  some  A"  such  that 
T2  ::  (d0:dest;  a;0:(ofdest  d0  tp0)  pers,  z:(gen)  eph)  ^zGen9.n  ('T/;  A"). 


(eldest;  x0:(ofdest  d0tp0)  pers,  z: (gen)  eph)  (<i0:dest;  x0\ (of destd0tp0)  pers,  z: (gen)  eph) 


J  Gen  9. 11 ( 


(*;A) 

/////// 

(vk;A)^ 


^  Gen  9. 11 

A" 

////// 
W,  A'! 


Proof.  As  always,  the  proof  proceeds  by  enumeration,  inversion,  and  reconstruction;  the  cases 
are  all  fundamentally  similar  to  the  ones  we  have  already  seen.  □ 


9.7  On  mechanization 

In  this  chapter,  we  have  shown  that  generative  invariants  can  describe  well-formedness  and  well- 
typedness  properties  of  the  full  range  of  specifications  discussed  in  Part  II  of  this  dissertation.  We 
have  furthermore  shown  that  these  generative  invariants  are  a  suitable  basis  for  reasoning  about 
type  preservation  in  these  specifications.  All  of  these  proofs  have  a  common  3-step  structure: 

1.  Straightforward  unique  index  properties, 

2.  An  inversion  lemma  that  mimics  the  structure  of  the  generative  signature,  and 
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3.  A  preservation  theorem  that  proceeds  by  enumerating  transitions,  applying  inversion  to  the 
given  generative  trace,  and  using  the  result  to  construct  a  new  generative  trace. 

Despite  the  fact  that  the  inversion  lemmas  in  this  chapter  technically  use  induction,  they  do  so  in 
such  a  trivial  way  that  is  quite  possible  to  imagine  that  inversion  lemmas  could  be  automatically 
synthesized  from  a  generative  signature.  Unique  index  properties  may  be  less  straightforward  to 
synthesize,  but  like  termination  and  mode  properties  in  Twelf,  they  should  be  entirely  straight¬ 
forward  to  verify.  Only  the  last  part  of  step  3,  the  reconstruction  that  happens  in  a  preservation 
theorem,  has  the  structure  of  a  more  general  theorem  proving  task.  Therefore,  there  is  reason  to 
hope  that  we  can  mechanize  the  tedious  results  in  the  results  in  this  chapter  in  a  framework  that 
does  much  of  the  work  of  steps  1  and  2  automatically. 
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Chapter  10 

Safety  for  substructural  specifications 


In  Chapter  9,  we  showed  how  the  preservation  theorem  could  be  established  for  a  wide  variety  of 
SSOS  semantics,  both  ordered  abstract  machines  and  destination-passing  style  semantics.  The 
methodology  of  generative  invariants  we  espoused  goes  significantly  beyond  previous  work  on 
type  preservation  for  operational  semantics  specifications  in  substructural  logic.  Neither  Linear 
LF  encodings  by  Pfenning,  Cervesato,  and  Reed  [CP02,  Ree09a],  nor  the  Ordered  LF  encodings 
of  Felty  and  Momigliano  [FM12],  discussed  preservation  for  concurrent  specifications  or  for 
first-class  continuations. 

More  fundamentally,  however,  this  previous  work  does  not  even  provide  a  language  for  talk¬ 
ing  about  progress  theorems,  the  other  critical  companion  of  type  safety  theorems.  These  pre¬ 
vious  approaches  were  universally  based  on  complete  derivations.  These  complete  derivations 
have  the  flavor  of  derivations  in  a  big-step  semantics,  and  it  is  difficult  or  even  impossible  to 
talk  about  progress  for  such  specifications.  The  purpose  of  this  chapter  is  to  establish  that  the 
SLS  framework’s  traces  T  and  steps  S,  which  correspond  to  partial  proofs,  provide  a  suitable  ba¬ 
sis  for  stating  progress  theorems  (and  therefore  language  safety  theorems)  and  for  proving  these 
theorems. 

We  do  not  discuss  progress  and  safety  for  the  full  range  of  specifications  from  Part  II  or 
Chapter  9,  however.  Instead,  we  will  just  discuss  progress  for  two  examples:  the  ordered  abstract 
machine  specification  with  parallelism  and  failure  used  as  an  example  in  Figure  9.1,  and  the 
extension  of  this  specification  with  mutable  storage.  The  rest  is  left  for  future  work,  though  we 
claim  that  these  two  examples  serve  to  get  across  all  the  concepts  necessary  to  prove  progress 
theorems  for  SSOS  specifications.  Ultimately,  it  is  not  only  possible  to  prove  progress  and  safety 
theorems  using  SSOS  specifications  in  SLS;  it’s  also  reasonably  straightforward. 


10.1  Backwards  and  forwards  through  traces 

In  the  last  chapter,  we  worked  on  traces  exclusively  by  induction  and  case  analysis  on  the  last 
steps  of  a  generative  trace.  This  form  of  case  analysis  and  induction  on  the  last  steps  of  a  trace 
can  also  be  used  to  prove  progress  for  sequential  SSOS  specifications,  and  it  is  actually  neces¬ 
sary  to  prove  progress  for  SSOS  specifications  with  first-class  continuations  (discussed  in  Sec¬ 
tion  7.2.4  and  Section  9.6)  in  this  way,  though  we  leave  the  details  of  this  argument  as  future 
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work.  However,  for  the  ordered  abstract  machine  example  from  Figure  9.1,  the  other  direction 
is  more  natural:  we  work  by  induction  and  case  analysis  on  the  first  steps  of  a  generative  trace. 
The  branching  structure  introduced  by  parallel  continuation  frames  (that  is,  ordered  propositions 
cont2  /)  is  what  makes  it  more  natural  to  work  from  the  beginning  of  a  generative  trace,  rather 
than  the  end. 

The  proof  of  progress  relies  critically  on  one  novel  property:  that  transitions  in  the  generative 
trace  do  not  tamper  with  terminals.  Formally,  we  need  to  know  that  if  ©{A}  Gen  A'  under 
some  generative  signature  A,  Gen  and  if  A  contains  only  terminals,  then  there  is  some  ©'  such 
that  the  final  state  A'  matches  ©'{A}.  We  will  implicitly  use  this  property  in  most  of  the  cases 
of  the  progress  theorem  below. 

This  property  holds  for  all  the  generative  signatures  in  Chapter  9,  but  establishing  this  prop¬ 
erty  for  generative  signatures  in  general  necessitates  a  further  restriction  of  what  counts  as  a 
generative  signature  (Definition  9.1).  To  see  why,  let  A  =  (xi:(retn  v)  ord,  x2:(cont  f)  ord )  and 
consider  the  generative  rule  Ve.jeval  e},  which  is  allowed  under  Definition  9.1.  This  rule  could 
“break”  the  context  by  dropping  an  ordered  eval  e  proposition  in  between  x±  and  x2.  A  sufficient 
general  condition  for  avoiding  this  problem  is  to  demand  that  any  generative  rule  that  produces 
ordered  atomic  propositions  mentions  an  ordered  nonterminal  as  a  premise.  (This  is  related  to 
the  property  called  separation  in  [SP08].) 


10.2  Progress  for  ordered  abstract  machines 

The  progress  property  is  that,  if  T  ::  (.z'0:  (gen  tp0)  ord )  "^^Gen9  ,  A  and  Af  then  one  of  these 
three  possibilities  hold: 

1.  A  ^  A'  under  the  signature  from  Figure  9.1, 

2.  A  =  y.  (retn  v)  ord ,  where  v  is  a  value,  or 

3.  A  =  y:  (error)  ord. 

This  is  exactly  the  form  of  a  traditional  progress  theorem:  if  a  process  state  is  well  typed,  it  either 
takes  a  step  under  the  dynamic  semantics  or  is  a  final  state  (terminating  with  an  error  or  returning 
a  value). 

The  presence  of  parallel  evaluation  in  Figure  9.1  necessitates  that  we  generalize  our  induction 
hypothesis.  The  statement  above  is  a  straightforward  corollary  of  Theorem  10.1  below. 

Theorem  10.1  (Progress  for  ordered  abstract  machines).  IfT  ::  ©{x:(gen  tp)  ord}  ^T.Geu9  4  A 
and  A1!,  then  either 

*  A  ^  A'  under  the  signature  from  Figure  9.1  for  some  A’ ,  or  else 

*  T  =  (Ti;  {y}  gen/retn  tpvx ;  Tf)  and  ■  h  N  :  valuer;  true,  or  else 

*  T  =  (Tp,  {y}  <-  gen/error  tpx;T2). 

In  the  proof  of  Theorem  10. 1,  we  will  not  detail  the  parts  of  the  proof  that  already  arise  in  tra¬ 
ditional  proofs  of  progress  for  abstract  machines.  These  missing  details  can  be  factored  into  two 
lemmas.  The  first  lemma  is  that  if  •  P  N  :  of  e  tp  true,  then  the  process  state  ©{x:(eval  e)  ord} 
can  always  take  a  step;  this  lemma  justifies  the  classification  of  eval  as  an  active  proposition  as 
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described  in  Section  7.2.2  and  in  [PS09].  The  second  lemma  is  traditionally  called  a  canonical 
forms  lemma:  it  verifies,  by  case  analysis  on  the  structure  of  typing  derivations  and  values,  that 
well-typed  values  returned  to  a  well-typed  frames  can  always  take  a  step. 

Proof.  By  induction  and  case  analysis  on  the  first  steps  of  T.  We  cannot  have  T  =  o,  because 
we  cannot  apply  restriction  to  a  context  containing  the  nonterminal  gen  tp.  So  T  —  S:  T1,  and 
either  x  *S  or  x  G  *S. 

If  x  </  *S,  then  V  ::  0'{x:(gen  tp)  ord}  ~^>Y,Gen9  4  A  and  we  can  succeed  by  immediate 
appeal  to  the  induction  hypothesis. 

If  x  G  *S,  then  we  perform  case  analysis  on  the  possible  transitions  enabled  by  T,Geng^ : 

*  S  =  {y}  <—  gen/eval  etp  (x  •  IN)  where  •  h  N  :  of  e  tp  true. 

Because  eval  is  a  terminal,  A  =  @'{y:(eval  e)  ord},  and  we  proceed  by  case  analysis  on 
N  to  show  that  the  derivation  can  always  take  a  step  (eval  is  an  active  proposition). 

*  S  —  {y}  gen/retn  tp  v  (x  •  \N  •  \NV)  -  succeed  immediately. 

*  S  —  {?/}  <—  gen/error  tp  x  -  succeed  immediately. 

*  S  =  {y\ ,  y2}  gen/cont  tp  f  tp'  (x  •  IN)  where  •  h  N  :  off  f  tp'  tp  true. 

Invoke  the  i.h.  on  V  :  0{y'1:(gen  tp')  ord,  y2:(cor\t  f)  ord}  ^Sceii9  A,  and  then  perform 
case  analysis  on  the  result  to  prove  that  A  A': 

■  If  A  A7,  then  we’re  done. 

■If  T'  =  (T{;  {yi}  <—  gen/retn  tp'  v  (y\  •  \N'  •  !  N’v)-,Tf), 
then  because  retn  and  cont  are  terminals,  A  =  ©'{j/i^retn  v)  ord,  y2:( cont  /)  ord}, 
and  we  proceed  by  simultaneous  case  analysis  on  N,  N',  and  N'v  (canonical  forms 
lemma). 

■If  T'  =  (T[ ;  {yi}  4—  gen/error  tp'  yf  T!f), 
then  because  error  and  cont  are  terminals,  A  =  (error)  ord,  y2\(contf)  ord}, 

and  we  have  {z}  <—  ev/error  /  (yi  •  y2)  ::  A  ^  0'{x:(error)  ord}. 

*  S  =  {y\ ,  y'2, 1/3}  gen/cont2  tp  f  tp1  tp2  (x  •  IN)  where  ■  N  :  off2  /  tp1  tp2  tp  true. 
Invoke  the  i.h.  twice  on  V  :  Qjy) :  (gen  tpf)  ord,  y'2'.(ger\  tp2)  ord,  y3:(cont2/)  ord},  once 
to  see  what  happens  to  y\ ,  and  another  time  to  see  what  happens  to  y'2,  and  then  perform 
case  analysis  on  the  result  to  prove  that  A  A': 

■  If  either  invocation  returns  the  first  disjunctive  possibility,  that  A  ^  A',  then  we’re 
done. 

■  If  both  invocations  return  the  second  disjunctive  possibility,  then  T'  contain  two  steps 
{2/1}  <-  gen/retn  tp1  a  (y[  •  !jV,  •  ! Nvl)  and 

{2/2}  gen/retn  tp2  v2  (y2  •  ! •  ! Nv2).  Because  retn  and  cont2  are  terminals, 

A  =  0'{yi:(retn  vf)  ord,  y2:(retr\v2)  ord,  y3:(cont2/)  ord},  and  we  proceed  by  si¬ 
multaneous  case  analysis  on  N,  Ni,  Nvl,  N2,  and  Nv2  (canonical  forms  lemma). 

■  In  all  the  remaining  cases,  one  of  the  subcomputations  becomes  an  error  and  the  other 
one  becomes  another  error  or  a  returned  value.  In  any  of  these  cases,  A  A'  by  one 
of  the  rules  ev/errret,  ev/reterr,  or  by  ev/errerr. 


271 


*  S  =  {y[ ,  y2}  <r-  gen/handle  tp  e2  (x  •  \N). 

Invoke  the  i.h.  on  V  :  0{y/1:(gen  tp')  ord ,  ?/2:(handle  e2)  ord}  ~~>T,Gen9.4  A,  and  then  per¬ 
form  case  analysis  on  the  result  to  prove  that  A  A': 

■  If  A  A',  then  we’re  done. 

■If  T'  =  (T[-  {yx}  «-  gen/retn  tp’  v  (y\  •  IN'  •  !7V');T^), 
then  because  retn  and  cont  are  terminals,  A  =  @'{?/i:(retn  v)  ord ,  y2:(cont  f)  ord}, 
and  we  have  {2;}  4—  ev/catchaw  e2  (yi  •  y2)  ::  A  0'{z:(retn  n)  ord}. 

■  If  r  =  (T{;  {yi}  <-  gen/error  tp' yf  Tf), 

then  because  error  and  cont  are  terminals,  A  =  Q'{yi:  (error)  ord,  y2:  (handle  e)  ord}, 
and  we  have  {2}  G-  ev/catchbe2  (t/i  •  y2)  ::  A  ^  0'{^:(eval  e2)  ord}. 

This  covers  all  possible  first  steps  in  the  trace  T,  and  thus  completes  the  proof.  □ 


10.3  Progress  with  mutable  storage 

Developing  progress  proofs  to  for  stateful  specifications  requires  a  property  that  is  dual  to  unique 
index  sets  (Definition  9.5,  Section  9.5.1).  Unique  index  sets  require  that  there  will  be  only  ever 
be  at  most  one  proposition  of  a  certain  form,  and  the  dual  property,  assured  index  sets,  require 
that  there  is  always  at  least  one  proposition  of  a  certain  form. 

Definition  10.2.  A  set  S  is  an  assured  index  set  at  a  type  r  under  a  generative  signature  £  and 
an  initial  state  ( T :  A )  if  whenever  ( T :  A )  (T';  A'),  then  $  h  implies  that,  for  some 

a/i  G  S,  x:  (a  tx . . .  tn)  Ivl  G  A'  where  t j  =  t. 

The  set  {gencell /l,  cell/1}  is  both  a  unique  index  set  and  an  assured  index  set  under  '£Geng  6 
and  the  initial  state  (•;  x0:(gen  tp)  ord).  The  latter  property  is  critical  to  finishing  the  extension 
of  Theorem  10.1  proof  in  certain  cases  where  we  invoke  the  canonical  forms  lemma.  When  we 
invoked  the  canonical  forms  lemma  in  the  cont  branch  of  that  proof,  we  started  with  the  knowl¬ 
edge  that  A  =  ©'{^(retn  v)  ord ,  y2:(cor\t  f)  ord}.  Two  new  outcomes  are  introduced  when 
we  introduce  mutable  state  as  discussed  in  Section  6.5.1  and  Section  9.4.  The  first  is  the  possi¬ 
bility  that  v  =  \ocl  while  /  =  getl,  and  the  second  is  the  possibility  that  /  =  set2/.  In  each 
case,  we  cannot  proceed  with  rule  ev/getl  or  rule  ev/set2,  respectively,  unless  we  also  know  that 
there  is  a  variable  binding  z:cell  /  v'  in  A.  We  know  precisely  this  because  {gencell /l,  cell/1}  is 
an  assured  index  set,  because  T  b  /:  mutable  Joe,  and  because  gencell  propositions,  as  nonter¬ 
minals,  cannot  appear  in  the  generated  process  state  A.  Therefore,  in  the  former  case  we  can 
produce  a  step  {y',  z'}  ev/getl  l  v'  (y\  •  y2  •  z),  and  in  the  later  case  we  can  produce  a  step 
{y' ,  z'}  ev/set2  v  l  v'  (y\  •  y2  •  z). 
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10.4  Safety 

We  conclude  by  presenting  the  safety  theorem  for  the  ordered  abstract  machine  specification 
from  Figure  9.1.  This  theorem  relates  the  encoding  of  the  usual  deductive  formulation  of  the 
typing  judgment,  of  e  tp,  to  a  progress  property  stated  in  terms  of  substructural  process  states. 

Theorem  10.3  (Safety  for  ordered  abstract  machines).  IfT  ::  (a;:  (eval  e)  ord )  A  under  the 

signature  from  Figure  9.1  and  ■  b  N  :  of  e  tp,  then  either 

*  A  A'  under  the  signature  from  Figure  9. 1  for  some  A',  or  else 

*  A  =  (y:(  retn  w)  ord)  and  ■  b  N  :  valuer,  or  else 

*  A  =  (y:  (error)  ord). 

Proof.  First,  by  induction  and  case  analysis  on  the  last  steps  of  T,  we  show  that  for  all  A' 
such  that  V  ::  (a;: (eval  e)  ord)  *  A'  under  the  signature  from  Figure  9.1,  we  can  construct  a 
generative  trace  Tg  ::  (x0:(gen  tp)  ord)  ^^GenJ  A': 

Base  case  V  =  o. 

Construct  Tg  =  {x}  gen/eval  tp  e  (x0  •  IN)  ::  (x0:(gen  tp)  ord)  ^sGen9  4  (x:(eval  e)  ord). 

Inductive  case  V  =  T";S,  where  T"  ::  (x0:(gen  tp)  ord)  ^*Sg  g  ,  A"  and  S  ::  A"  ^zGen9  4 
A'. 

By  the  induction  hypothesis,  we  have  T'g  ::  (x0:(gen  tp)  ord)  ^Gf„, ,,  A".  By  preservation 
(Theorem  9.3)  on  T'g  and  S,  we  have  T'g  ::  (x0:(gen  tp)  ord)  Geng  A'. 

This  means,  in  particular,  that  we  can  construct  Tg  ::  (xo:(gen  tp)  ord)  '^j4c.rnl)  ,  A. 

By  the  progress  theorem  (Theorem  10.1)  on  Tg,  there  are  three  possibilities: 

*  If  A  A' ,  then  we’re  done. 

*  If  Tg  ::  (T] ;  {y}  gen/retn  tpv  (x0  •  IN'  •  !iV');  T2),  then  by  a  trivial  case  analysis  on 
Ti  and  T2  we  can  conclude  that  both  are  empty  and,  therefore,  that  A  =  (y:  (retn  v)  ord). 

*  If  Tg  ::  (Ti;  {y}  gen/error  tp  x0;  T2),  then  by  a  trivial  case  analysis  on  Ti  and  T2  we 
can  conclude  that  both  are  empty  and,  therefore,  that  A  =  (y:  (error)  ord). 

This  concludes  the  proof  of  safety.  □ 
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Chapter  11 
Conclusion 


This  document  has  endeavored  to  support  the  following  thesis: 

Thesis  Statement:  Logical  frameworks  based  on  a  rewriting  interpretation  of  sub - 
structural  logics  are  suitable  for  modular  specification  of  programming  languages 
and  formal  reasoning  about  their  properties. 

In  the  service  of  this  thesis,  we  first  developed  a  logical  framework  of  substructural  logi¬ 
cal  specifications  (SLS)  based  on  a  rewriting  interpretation  of  ordered  linear  lax  logic  (OL3). 
Part  I  of  the  dissertation  discusses  the  design  of  this  logical  framework,  and  in  the  process  firmly 
establishes  the  elegant  connection  between  two  sets  of  techniques: 

1.  Canonical  forms  and  hereditary  substitution  in  a  logical  framework,  on  one  hand,  and 

2.  Focused  derivations  and  cut  admissibility  in  logic,  on  the  other. 

The  broad  outlines  of  this  connection  have  been  known  for  a  decade,  but  this  dissertation  gives 
the  first  account  of  the  connection  that  generalizes  to  all  logical  connectives.  This  connection 
allows  the  SLS  framework  to  be  presented  as  a  syntactic  refinement  of  focused  ordered  linear 
lax  logic;  the  steps  and  traces  of  SLS,  which  provide  its  rewriting  interpretation,  are  justified  as 
partial  proofs  in  focused  ordered  linear  lax  logic.  SLS  does  move  beyond  the  connection  with 
focused  logic  due  to  the  introduction  of  concurrent  equality,  which  allows  logically  independent 
steps  in  a  trace  to  be  reordered;  we  conjecture  that  the  resulting  equivalence  relation  imposed 
on  our  logical  framework  is  analogous  to  the  one  given  by  multifocusing  in  logic,  but  a  full 
exposition  of  this  connection  is  left  for  future  work. 

The  SLS  framework  acts  as  a  bridge  between  the  world  of  logical  frameworks,  where  de¬ 
ductive  derivations  are  the  principal  objects  of  study,  and  the  world  of  rewriting  logic,  where 
rewriting  sequences  that  are  similar  to  SLS  traces  are  the  principal  objects  of  study.  Part  II  of 
this  dissertation  discusses  a  number  of  ways  of  describing  operational  semantics  specifications 
in  SLS,  using  ordered  resources  to  encode  control  structures,  using  mobile/linear  resources  to 
encode  mutable  state  and  concurrent  communication,  and  using  persistent  resources  to  represent 
memoization  and  binding.  Different  styles  of  specification  are  connected  to  each  other  through 
systematic  transformations  on  SLS  specifications  that  we  prove  to  be  generally  sound,  a  method¬ 
ology  named  the  logical  correspondence ,  following  Danvy  et  al.’s  functional  correspondence. 
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Most  of  the  systematic  transformations  discussed  in  Chapter  6  and  Chapter  7  -  operationaliza¬ 
tion,  defunctionalization,  and  destination-adding  -  are  implemented  in  the  SLS  prototype  im¬ 
plementation.  Utilizing  this  implementation,  we  show  in  Appendix  B  that  it  is  possible  to  fuse 
together  a  single  coherent  SLS  specification  of  a  MiniML  language  with  concurrency,  state,  and 
communication  using  various  different  styles  of  specification,  including  natural  semantics  where 
appropriate. 

This  dissertation  also  discusses  two  different  methodologies  for  formally  reasoning  about 
properties  of  operational  semantics  specifications  in  SLS.  The  program  analysis  methodology 
considered  in  Chapter  8  allows  us  to  derive  effectively  executable  abstractions  of  programming 
language  semantics  directly  from  operational  semantics  specifications  in  SLS.  The  methodology 
of  progress,  preservation,  and  type  safety  considered  in  Chapter  9  and  Chapter  10  is  presented 
as  a  natural  extension  of  traditional  “safety  =  progress  +  preservation”  reasoning.  In  a  sense, 
the  work  described  in  this  document  has  pushed  our  ability  to  reason  formally  about  properties 
of  SLS  specifications  (and  substructural  operational  semantics  specifications  in  particular)  some 
distance  beyond  our  ability  to  informally  reason  about  these  specifications.  An  important  direc¬ 
tion  for  future  work  will  be  to  move  beyond  the  misleadingly-sequential  language  of  SLS  traces 
and  develop  a  more  user-friendly  language  for  writing,  talking,  and  thinking  about  traces  in  SLS, 
especially  generative  traces. 
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Appendix  A 

Process  states  summary 


In  this  dissertation,  we  emphasize  the  use  of  process  states  to  describe  the  internal  states  of 
the  evolving  systems  we  are  interested  in.  This  view  is  an  extension  of  Miller’s  processes-as- 
formula  interpretation  [Mil93,  DCS  12].  Of  course,  a  process  state  is  not  a  formula;  Section  4.7.2 
discusses  our  emphasis  on  SLS  process  states  instead  of  SLS  formulas  as  the  fundamental  repre¬ 
sentation  of  the  internal  states  of  evolving  systems. 

A  process  state  as  defined  in  Chapter  4  has  the  form  (\P ;  A)CT,  though  outside  of  Chapter  4 
we  never  use  the  associated  substitution  o,  writing  ('P;  A)  to  indicate  the  empty  substitution 
a  —  •.  The  first-order  context  T,  which  is  sometimes  omitted,  is  also  called  the  LF  context 
in  SLS  because  Spine  Form  LF  is  the  first-order  term  language  of  SLS  (Section  4.1).  A  is  a 
substructural  context. 


A.l  Substructural  contexts 

A  substructural  context  (written  as  A  and  occasionally  as  H)  is  a  sequence  of  variable  bindings 
x\T  Ivl  -  all  the  variables  x  bound  in  a  context  must  be  distinct.  In  SLS,  Ivl  is  either  ord  (ordered 
resources),  eph  (mobile  resources,  also  called  ephemeral  or  linear  resources),  or  pers  (persistent 
resources). 

In  stable  process  states,  T  is  usually  a  suspended  positive  atomic  proposition  ( Q ).  The  per¬ 
meability  of  a  positive  atomic  proposition  (ordered,  mobile/linear/ephemeral,  or  persistent)  is 
one  of  its  intrinsic  properties  (Section  2.5.4,  Section  3.3.2),  so  we  can  write  x:(Q)  instead  of 
x:(Q)  ord,  x:(Q)  eph,  or  x:(Q)  pers  if  the  permeability  of  Q  is  known  from  the  context.  So  the 
encoding  of  the  string  [<>([]),  described  in  the  introduction  as 

left(sq)  left(an)  right(an)  left(pa)  left(sq)  right(sq)  right(pa) 

is  more  properly  described  as 

xi:(leftsq),  X2:(left  an),  alright  an),  X4:(left  pa),  x5:(leftsq),  alright  sq),  X7:(rightpa) 

We  write  Xi:(left  sq)  instead  of  .x , :  (left  sq)  ord  above,  leaving  implicit  the  fact  that  left  and  right 
are  ordered  predicates. 
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It  is  also  possible,  in  nested  SLS  specifications  (Section  5.1,  Section  6.1),  to  have  variable 
bindings  x:A~  ord,  x:A~  eph,  and  x:A~  pers.  These  nested  specifications  act  much  like  rules  in 
the  SLS  signature,  though  mobile  rules  (x\A  eph)  can  only  be  used  one  time,  and  ordered  rules 
(. x:A~  ord)  can  only  be  used  one  time  and  only  in  one  particular  part  of  the  context  (Figure  5.2). 

Chapter  3  treats  substructural  contexts  strictly  as  sequences,  but  in  later  chapters  we  treat 
substructural  contexts  in  a  more  relaxed  fashion,  allowing  mobile/linear/ephemeral  and  persistent 
variable  bindings  to  be  tacitly  reordered  relative  to  one  another  other  and  relative  to  ordered 
propositions.  In  this  relaxed  reading,  ord,x2:(Q 2)  ord )  and  (x2:(Q2)  ord,xi.(Qi)  ord) 

are  not  equivalent  contexts  but  (x3:(Q 3)  pers ,  x2:(Q2)  ord)  and  (. x2:(Q2 )  ord ,  x3:(Q3)  pers)  are. 

A  frame  0  represents  a  context  with  a  hole  in  it.  The  notation  @{A}  tacks  the  substructural 
context  A  into  the  hole  in  0;  the  context  and  the  frame  must  have  disjoint  variable  domains 
for  this  to  make  sense.  In  Chapter  3,  frames  are  interrupted  sequences  of  variable  bindings 
x\ :T\  Ivl, . . .  xn:Tn  Ivl,  □,  xn+i:Tn+1  Ivl, . . .  xm:Trn  Ivl,  where  the  box  represents  the  hole.  In  later 
chapters,  this  is  relaxed  in  keeping  with  the  relaxed  treatment  of  contexts  modulo  reordering  of 
mobile  and  persistent  variable  bindings. 


A.2  Steps  and  traces 

Under  focusing,  a  SLS  proposition  can  correspond  to  some  number  of  synthetic  transitions  (Sec¬ 
tion  2.4,  Section  4.2.6).  The  declaration  rule  :  Qi  •  Q2  >— »•  {Q3  •  Q2 }'  in  an  SLS  signature 
E,  where  Q\  is  ordered,  Q 2  is  mobile,  and  Q3  is  persistent,  is  associated  with  this  synthetic 
transition: 


@{zi:(Qi)  ord,  x2:(Q2)  eph}  ®{yi-(Q3)  pers ,  y2:(Q2 )  eph} 

The  variable  bindings  x1  and  x2  no  longer  appear  in  Q{yi.(Q3)  pers,  y2:(Q2)  eph}.  The  proof 
terms  associated  with  synthetic  transitions  are  steps  (Section  4.2.6),  and  the  step  correspond¬ 
ing  to  the  synthetic  transition  above  is  written  as  {yi,y2}  rule  (a;  1  •xf).  As  described  in 

Section  4.2.6,  we  can  relate  the  step  to  the  synthetic  transition  like  this: 

{yuVz}  <-  rule  {x\  •  x2)  ::  0{zi:(Qi)  ord,  x2:(Q2)  eph}  ®{yp(Qz)  pers,  y2:(Q2)  eph} 

As  described  in  Section  4.2.7,  we  can  also  use  a  more  Hoare-logic  inspired  notation: 

®{xi:{Qi)  ord,  x2:(Q2)  eph} 

{2/1, 2/2}  F-  rule  (xi  •  x2) 

0{yi:(Q3)  pers,  y2:(Q2)  eph} 

The  reflexive-transitive  closure  of  is  ^3,  and  the  proof  terms  witnessing  these  sequences 

of  synthetic  transitions  are  traces  T  o  \  S  \  T,T.  Concurrent  equality  (Section  4.3)  is 

an  equivalence  relation  on  traces  that  allows  us  to  rearrange  the  steps  =  {Pi}  •(—  Pi  and 
S2  =  {P2}  -t—  R2  in  a  trace  when  the  variables  introduced  by  P,  (the  output  interface  of  Si, 
written  Si')  are  not  mentioned  in  P2  (the  input  interface  of  S2,  written  *S2)  and  vice  versa. 

'This  is  synonymous  with  the  proposition  Q\  •  Q2  >— ►  0(03  •  Q 2)  (Section  4.2). 
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Appendix  B 

A  hybrid  specification  of  Mini-ML 


In  this  section,  we  present  the  specification  that  was  illustrated  in  Figure  5.4  as  a  full  SLS  spec¬ 
ification.  This  specification  is  a  hybrid  or  chimera:  it  has  individual  features  that  are  presented 
using  big-step  natural  semantics,  nested  ordered  abstract  machine  semantics,  flat  ordered  abstract 
machine  semantics,  and  destination-passing  semantics. 

Illustrating  the  logical  correspondence  methodology  that  we  introduced  in  Chapter  5  and 
expounded  upon  in  Chapters  6  and  7,  all  these  specifications  can  transformed  into  a  common 
flat  destination-passing  semantics.  With  the  exception  of  Concurrent  ML  primitives,  which  were 
only  alluded  to  in  Section  7.2.2,  all  the  pieces  of  this  specification  (or  very  similar  variants)  have 
been  presented  elsewhere  in  the  dissertation.  The  specification  in  this  section  is  careful  to  present 
the  entire  SLS  specification,  as  opposed  to  other  examples  in  which  the  relevant  LF  declarations 
were  almost  always  omitted. 

The  lowest  common  denominator  of  destination-passing  semantics  can  be  represented  in 
CLF,  and  the  SLS  implementation  is  able  to  output  CLF  code  readable  in  Schack-Nielsen’s  Celf 
implementation  [SNS08].  The  implemented  logic  programming  engine  of  Celf  is  therefore  able 
to  execute  Mini-ML  programs  encoded  as  terms  of  type  exp  in  our  hybrid  specification. 


B.l  Pure  Mini-ML 

There  are  various  toy  languages  calling  themselves  “Mini-ML”  in  the  literature.  All  Mini-MLs 
reflect  some  of  the  flavor  of  functional  programming  while  avoiding  features  such  as  com¬ 
plex  pattern-matching  and  datatype  declarations  that  make  the  core  language  of  Standard  ML 
[MTHM97]  a  bit  more  complicated.  Of  course,  Mini-MLs  universally  avoid  the  sophisticated 
ML  module  language  as  well. 

Like  the  PCF  language  [Plo77],  Mini-ML  variants  usually  have  at  least  a  fixed-point  operator, 
unary  natural  numbers,  and  functions.  We  add  Boolean  and  pair  values  to  this  mix,  as  well  as 
the  arbitrary  choice  operator  r e\  ©  ep  =  arb  reP  r  eP  from  Section  6.4.1.  The  specification  in 
Section  B.l©  is  an  encoding  of  the  natural  semantics  judgment  re  jj.  vn  =  ev  ren  rv~l  presented 
throughout  Chapter  6.  The  language  is  pure  -  the  only  effect  is  nontermination  -  so  we  can  fully 
specify  the  language  as  a  big- step  operational  semantics. 
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B.1.1  Syntax 


exp:  type. 

lam:  (exp  ->  exp)  ->  exp. 
app :  exp  ->  exp  ->  exp. 
fix:  (exp  ->  exp)  ->  exp. 
true:  exp. 
false:  exp. 

ite:  exp  >  exp  ->  exp  ->  exp. 

zero:  exp. 

succ:  exp  ->  exp. 

case:  exp  ->  exp  ->  (exp  ->  exp) 
unit :  exp . 

pair:  exp  ->  exp  ->  exp. 
fst:  exp  ->  exp. 

snd:  exp  >  exp. 

arb:  exp  ->  exp  ->  exp. 


;  fn  x  =>  e 
;  e  (e) 

;  fix  x . e 
;  tt 

;  ff 

;  if  e  then  et  else  ef 

;  z 

;  s  (e) 

>  exp.  ;  case  e  of  z  =>  ez  |  s  x  => 
;  <> 

;  <el,  e2> 

;  e .  1 

;  e  .  2 

;  el  ??  e2 


es 


B.1.2  Natural  semantics 

#mode  ev  +  - . 

ev:  exp  ->  exp  ->  prop. 

ev/lam:  ev  (lam  \x.  E  x)  (lam  \x.  E  x) . 

ev/app:  ev  (app  El  E2)  V 

<-  ev  El  (lam  \x.  E  x) 

<-  ev  E2  V2 
<-  ev  (E  V2)  V. 

ev/fix:  ev  (fix  \x.  E  x)  V 

<-  ev  (E  (fix  \x.  Ex))  V. 

ev/true:  ev  true  true. 

ev/false:  ev  false  false. 

#mode  caseb  +  +  +  -. 

caseb:  exp  ->  exp  ->  exp  ->  exp  ->  prop. 

ev/ite:  ev  (ite  E  Et  Ef)  V 

<-  ev  E  V' 

<-  caseb  V'  Et  Ef  V. 

case/t:  caseb  true  Et  Ef  V 

<-  ev  Et  V. 

case/f:  caseb  false  Et  Ef  V 

<-  ev  Et  V. 

ev/zero:  ev  zero  zero. 
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ev/succ:  ev  (succ  E)  (succ  V) 

<-  ev  E  V. 

#mode  casen  +  +  +  -. 

casen:  exp  ->  exp  ->  (exp  ->  exp)  ->  exp  ->  prop. 

ev/case:  ev  (case  E  Ez  \x.  Es  x)  V 

<-  ev  E  V' 

<-  casen  V'  Ez  (\x.  Es  x)  V. 


case/ z : 

casen  zero  Ez 

<-  ev  Ez  V. 

(\x. 

.  Es 

x)  V 

case/ s : 

casen  (succ  V) 
<-  ev  (Es  V) 

Ez 

V. 

( \  x . 

.  Es  x 

ev/unit : 

ev  unit  unit . 

ev/pair : 

ev  (pair  El  E2)  (pair 
<-  ev  El  VI 

<-  ev  E2  V2 . 

VI  V2 

ev/f st : 

ev  (fst  E)  VI 
<-  ev  E  (pair 

VI 

V2 )  . 

ev/snd : 

ev  (snd  E)  V2 
<-  ev  E  (pair 

VI 

V2 )  . 

ev/arbl : 

ev  (arb  El  E2) 

<-  ev  El  V. 

V 

ev/arb2 : 

ev  (arb  El  E2) 
<-  ev  E2  V. 

V 

B.2  State 

The  strength  of  an  ordered  abstract  machine  semantics  specification  is  its  ability  to  handle  mod¬ 
ular  addition  of  stateful  features.  While  Section  6.5  discussed  the  modular  extension  of  flat  or¬ 
dered  abstract  machines,  nested  ordered  abstract  machines  are  also  perfectly  capable  of  handling 
stateful  features  such  as  mutable  storage  (Section  6.5.1)  and  call-by-need  recursive  suspensions 
(Section  6.5.2). 

B.2.1  Syntax 

mutable_loc:  type, 
loc:  mutable_loc  ->  exp. 
ref :  exp  >  exp . 

get:  exp  ->  exp. 

set:  exp  ->  exp  ->  exp. 


;  (no  concrete  syntax) 
;  ref  e 
;  !  e 

;  el  :=  e2 
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;  (no  concrete  syntax) 
;  thunk  x.e 
;  force  e 


bind_loc:  type, 
issusp:  bind_loc  exp. 
thunk:  (exp  ->  exp)  ->  exp. 
force:  exp  ->  exp. 


B.2.2  Nested  ordered  abstract  machine  semantics 

In  Section  6.5.1,  we  discussed  mutable  storage  as  a  flat  ordered  abstract  machine  (Figure  6.14), 
but  it  is  equally  straightforward  to  describe  a  nested  ordered  abstract  machine  for  mutable  stor- 


age. 

cell :  mutable. 

_loc  ->  exp  -> 

prop  lin. 

ev/loc 

:  eval 

(loc  L)  >->  {retn  (loc  L) } . 

ev/ref 

:  eval 

>-> 

(ref  El) 

{eval  El  * 

(All  VI .  retn 
>->  {Exists 

VI 

1.  retn  (loc  1)  *  $cell 

ev/get 

:  eval 

>-> 

(get  El) 

{eval  El  * 

(All  L.  retn 
>->  {retn  V 

(loc  L)  *  $cell  L  V 
*  $cell  L  V} ) } . 

ev/set 

:  eval 

>-> 

(set  El  E2 ) 
{eval  El  * 

(All  L.  retn  (loc  L) 

>->  {eval  E2  * 

(All  V2 .  All  Vignored.  retn  V2  *  $cell  L  Vignored 
>->  {retn  unit  *  $cell  L  V2 } ) } ) } . 


B.2.3  Flat  ordered  abstract  machine  semantics 

In  Section  6.5.2,  we  gave  both  a  semantics  for  call-by-need  recursive  suspensions,  both  as  a 
flat  ordered  abstract  machine  (Figure  6.16)  and  a  nested  ordered  abstract  machine  (Figure  6.17). 
However,  the  nested  ordered  abstract  machine  from  Figure  6.17  uses  the  with  connective  A~  & 
B~,  and  our  implementation  of  defunctionalization  transformation  doesn’t  handle  this  connec¬ 
tive.  Therefore,  we  repeat  the  flat  ordered  abstract  machine  from  Figure  6.16.  Note,  however, 
that  there  is  no  technical  reason  why  A~  &B~  should  be  difficult  to  handle;  any  actual  difficulty 
is  mostly  in  terms  of  making  sure  uncurrying  (Section  6.2.2)  does  something  sensible. 

susp:  bind_loc  ->  (exp  ->  exp)  >  prop  lin. 
blackhole:  bind_loc  ->  prop  lin. 
bind:  bind_loc  ->  exp  >  prop  pers . 

f orcel :  frame . 

bindl :  bind_loc  ->  frame. 
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ev/ susp : 

eval 

(issusp  L) 

>->  {retn  (issusp  L) } . 

ev/thunk : 

eval 

>-> 

(thunk  \x. 
{Exists  1. 

E  x) 

$susp  1  (\x.  Ex)*  retn  (issusp  1) } . 

ev/force : 

eval 

(force  E) 

>->  {eval  E  *  cont  forcel}. 

ev/suspendedl : 

retn 

>-> 

(issusp  L) 
{eval  (E' 

*  cont  forcel  *  $susp  L  (\x.  E'  x) 

(issusp  L) )  *  cont  (bindl  L)  *  $blackhole  L 

ev/suspended2 : 

retn 

>-> 

V  *  cont  (bindl  L)  *  $blackhole  L 
{retn  V  *  Ibind  L  V}. 

ev/memoized: 

retn 

>-> 

(issusp  L) 
{ retn  V} . 

*  cont  forcel  *  Ibind  L  V 

B.3  Failure 

The  reason  we  introduced  frames  in  Section  6.2.3  was  to  allow  the  semantics  of  recoverable 
failure  to  talk  generically  about  all  continuations.  In  Section  B.3. 2,  we  generalize  the  semantics 
from  Section  6.5.4  by  having  exceptions  carry  a  value. 

B.3.1  Syntax 

raise:  exp  ->  exp.  ;  raise  e 

try:  exp  ->  (exp  ->  exp)  ->  exp.  ;  try  e  catch  x.ef 

B.3.2  Flat  ordered  abstract  machine  semantics 

handle:  (exp  >  exp)  ->  prop  ord. 
error:  exp  ->  prop  ord. 

raisel :  frame . 


ev/raise : 

eval 

(raise  E 

)  >->  {eval  E  *  cont  raisel 

ev/raisel : 

retn 

V  *  cont 

raisel  >->  {error  V}. 

ev/try : 

eval 

(try  El 

(\x.  E2  x) ) 

>-> 

{eval  El 

*  handle  (\x.  E2  x) } . 

error/cont:  error  V  *  cont  F  >->  {error  V}. 

error/hand:  error  V  *  handle  (\x.  E2  x)  >->  {eval  (E2  V) } . 

retn/hand:  retn  V  *  handle  (\x.  E2  x)  >->  {retn  V}. 
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B.4  Parallelism 


While  ordered  abstract  machines  can  represent  parallel  evaluation,  and  the  operationalization 
transformation  can  expose  it,  parallel  ordered  abstract  machines  and  the  destination- adding  trans¬ 
formation  do  not  interact  a  helpful  way.  Therefore,  for  our  hybrid  specification,  we  will  describe 
parallel  evaluation  at  the  destination-passing  level,  as  in  Section  7.2.1. 

B.4.1  Destination-passing  semantics 

Instead  of  the  parallel  pairs  shown  in  Figure  6.8  and  Figure  7.6,  we  will  use  a  parallel  let  construct 
Hetpar  (ad,  x2)  =  (ei,  e2)  in  en  =  letpar  rein  re2n  \x\.  Xx2 ■  re~l. 

cont2 :  frame  ->  dest  ->  dest  ->  dest  ->  prop  lin. 

letpar:  exp  ->  exp  ->  (exp  ->  exp  ->  exp)  ->  exp. 
letparl :  (exp  ->  exp  ->  exp)  ->  frame. 

ev/letpar:  eval  (letpar  El  E2  \x.  \y.  E  x  y)  D 

>->  {Exists  dl .  eval  El  dl  * 

Exists  d2 .  eval  E2  d2  * 

cont2  (letparl  \x.  \y.  E  x  y)  dl  d2  D}. 

ev/letparl:  retn  VI  Dl  *  retn  V2  D2  * 

cont2  (letparl  \x.  \y.  E  x  y)  Dl  D2  D 
>->  {eval  (E  VI  V2)  D} . 

B.4.2  Integration  of  parallelism  and  exceptions 

We  have  discussed  two  semantics  for  parallel  evaluation.  The  first  semantics,  in  Section  6.5.4, 
only  raised  an  error  if  both  parallel  branches  terminated  and  one  raised  an  error.  The  second 
semantics,  in  Section  7.2.1,  raised  an  error  if  either  branch  raised  an  error,  and  then  allowed  the 
other  branch  to  return  a  value. 

We  will  demonstrate  a  third  option  here,  the  sequential  exception  semantics  used  by  Manti- 
core  [FRR08].  An  error  raised  by  the  second  scrutinee  e2  of  letpar  will  only  be  passed  up  the 
stack  if  the  first  scrutinee  e\  returns  a  value.  We  also  represent  Manticore’s  cancellation  -  if 
the  first  branch  of  a  parallel  evaluation  raises  an  exception,  then  rather  than  passively  waiting 
for  the  second  branch  to  terminate  we  proactively  walk  up  its  stack  attempting  to  cancel  the 
computation. 

cancel:  dest  ->  prop  lin. 

ev/errorL:  error  V  Dl  *  cont2  X  Dl  D2  D 

>->  {error  V  D  *  cancel  D2 } . 

ev/errorR:  retn  _  Dl  *  error  V  D2  *  cont2  _  Dl  D2  D 

>->  {error  V  D } . 
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cancel/eval:  eval 

cancel/retn:  retn 

cancel/error:  error 
cancel/cont:  cont 

cancel/cont2 :  cont2 


D  *  cancel  D  >->  {one}. 

D  *  cancel  D  >->  {one}. 

D  *  cancel  D  >->  {one}. 

D'  D  *  cancel  D  >->  {cancel  D'  }  • 

_  D1  D2  D  *  cancel  D  >->  {cancel  D1  *  cancel  D2}. 


B.5  Concurrency 

Concurrent  ML  is  an  excellent  example  of  the  power  of  destination-passing  specifications.  The 
Concurrent  ML  primitives  allow  a  computation  to  develop  a  rich  interaction  structure  that  does 
not  mesh  well  with  the  use  of  ordered  logic,  but  the  destination-passing  style  allows  for  a  clean 
specification  that  is  fundamentally  like  the  one  used  for  simple  synchronization  in  Section  7.2.2. 
This  account  directly  follows  Cervesato  et  al.’s  account  [CPWW02],  similarly  neglecting  nega¬ 
tive  acknowledgements. 


B.5.1  Syntax 

channel:  type. 

spawn :  exp  ->  exp . 

exit :  exp . 

newch :  exp . 

chan:  channel  ->  exp. 

sync:  exp  ->  exp. 

send:  exp  ->  exp  ->  exp. 

recv:  exp  ->  exp. 

always:  exp  ->  exp. 

choose:  exp  ->  exp  ->  exp. 

never:  exp. 

wrap:  exp  ->  (exp  ->  exp)  ->  exp. 


;  spawn  e 
;  exit 
;  channel 

;  (no  concrete  syntax) 
;  sync  e 
;  send  c  e 
;  recv  c 
;  always  e 
;  el  +  e2 
;  0 

;  wrap  e  in  x.e' 


B.5.2  Natural  semantics 

Many  of  the  pieces  of  Concurrent  ML  do  not  interact  with  concurrency  directly;  instead,  they 
build  channels  and  event  values  that  drive  synchronization.  In  our  hybrid  specification  methodol¬ 
ogy,  we  can  give  these  pure  parts  of  the  Concurrent  ML  specification  a  big- step  natural  semantics 
specification. 


ev/chan:  ev  (chan  C)  (chan  C) . 

ev/always:  ev  (always  El)  (always  VI) 

<-  ev  El  VI. 


ev/recv:  ev  (recv  El)  (recv  VI) 

<-  ev  El  VI . 


ev/send:  ev  (send  El  E2)  (send  VI  V2) 

<-  ev  El  VI 
<-  ev  E2  V2 . 
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ev/choose : 


ev  (choose  El  E2)  (choose  VI  V2) 

<-  ev  El  VI 
<-  ev  E2  V2 . 

ev/never:  ev  never  never. 

ev/wrap:  ev  (wrap  El  \x.  E2  x)  (wrap  VI  \x.  E2  x) 

<-  ev  El  VI . 


B.5.3  Destination-passing  semantics 

The  destination-passing  semantics  of  Concurrent  ML  has  three  main  parts.  The  first  part,  a  spawn 
primitive,  creates  a  new  disconnected  thread  of  computation  -  the  same  kind  of  disconnected 
thread  that  we  used  for  the  interaction  of  parallelism  and  failure  in  Section  7.2.1.  The  newch 
primitive  creates  a  new  channel  for  communication. 


terminate:  dest  ->  prop  lin. 


term/retn:  retn  _  D  *  terminate  D  >->  {one}, 

term/error:  error  _  D  *  terminate  D  >->  {one}. 


ev/spawn:  eval  (spawn  E)  D 

>->  {retn  unit  D  * 

Exists  d' .  eval  Ed'*  terminate  d' } . 


ev/newch:  eval  newch  D  >->  {Exists  c.  retn  (chan  c)  D}. 


The  critical  feature  of  Concurrent  ML  is  synchronization,  which  is  much  more  complex  than  the 
simple  synchronization  described  in  Section  7.2.2,  and  has  something  of  the  flavor  of  the  labels 
described  in  that  section.  An  action  can  include  many  alternatives,  but  if  a  send  and  a  receive  can 
simultaneously  take  place  along  a  single  channel,  then  the  synch/communicate  rule  can  enable 
both  of  the  waiting  synch  v  d  propositions  to  proceed  evaluating  as  eval  propositions. 

Here  as  in  Cervesato  et  al.’s  specification,  events  are  atomically  paired  up  using  the  backward¬ 
chaining  action  rules,  which  are  not  transformed:  the  intent  is  for  the  action  predicate  to  act  like 
a  backtracking,  backward-chaining  logic  programs  in  the  course  of  evaluation. 


#mode  action  +  -  -. 

action:  exp  ->  exp  ->  (exp  ->  exp)  ->  prop. 

act/t:  action  (always  V)  (always  V)  (\x.  x) . 
act/s:  action  (send  (chan  C)  V)  (send  (chan  C)  V)  (\x.  x) . 
act/v:  action  (recv  (chan  C) )  (recv  (chan  C) )  (\x.  x) . 

act/1:  action  (choose  Eventl  Event2)  Lab  (\x.  E  x) 

<-  action  Eventl  Lab  (\x.  E  x) . 
act/r:  action  (choose  Eventl  Event2)  Lab  (\x.  E  x) 

<-  action  Event2  Lab  (\x.  E  x) . 

act/w:  action  (wrap  Eventl  \x.  E2  x)  Lab  (\x.  app  (lam  (\x.  E2  x) )  (E  x) ) 
<-  action  Eventl  Lab  (\x.  E  x) . 


286 


synch:  exp  ->  dest  ->  prop  lin. 


syncl  :  frame . 
ev/ sync : 

eval  (sync  El)  D  >->  {Exists  dl .  eval  El  dl  *  cont  syncl  dl  D}. 
ev/syncl : 

retn  W  Dl  *  cont  syncl  Dl  D  >->  {synch  W  D} . 

synch/ always : 

synch  Event  D  * 

{action  Event  (always  V' )  (\x.  E  x) 

>->  {eval  (E  V' )  D} . 

synch/ communicate : 
synch  Eventl  Dl  * 

{action  Eventl  (send  (chan  C)  V)  (\x.  El  x)  * 
synch  Event2  D2  * 

{action  Event2  (recv  (chan  C) )  (\x.  E2  x) 

>->  {eval  (El  unit)  Dl  *  eval  (E2  V)  D2 } . 


B.6  Composing  the  semantics 

Within  Standard  ML,  we  can  read  the  various  specifications  described  in  this  appendix  and  use 
directives  to  successively  operationalize,  defunctionalize,  add  destinations,  and  output  CLF  that 
is  readable  by  the  Celf  implementation. 

CM. make  "../../ sis/ sources . cm" ; 

fun  HEADING  s  =  print  ("\n\n==  "~s~"  ==\n\n"); 

Frontend . init  (); 

HEADING  "NATURAL  SEMANTICS"; 

Frontend . reset  (); 

Frontend . read  "#operationalize  \ "ord-nested . auto . sls\ "  \ 

\  (ev  ~>  eval  retn) \ 

\  (casen  ~>  casen  retn) \ 

\  (caseb  ~>  caseb  retn) 

Frontend . load  " compose/pure-exp . sis " ; 

Frontend. load  " compose/pure-nat sem . sis" ; 

Frontend . load  " compose /con cur-exp . sis " ; 

Frontend. load  "compose/concur-natsem. sis" ; 

Frontend . read  "#operationalize  stop."; 

HEADING  "ORDERED  ABSTRACT  MACHINES  (nested)"; 

Frontend . reset  (); 

Frontend . read  "#defunctionalize  \ "ord-f lat . auto . sls\ "  \ 

\  (cont  frame  :  ord) 

Frontend. load  "ord-nested. auto .sis" ; 
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Frontend . load  " compose/imp-exp . sis"; 

Front end . load  " compose /imp-ordmachine . sis " ; 

Frontend . read  "#defunctionalize  stop."; 

HEADING  "ORDERED  ABSTRACT  MACHINES  (flat)"; 

Frontend . reset  (); 

Frontend .  read  "#destadd  Vdest .  auto.  sls\"  \ 

\  dest  eval  retn  error  casen  caseb."; 

Frontend . load  "ord-f lat . auto . sis " ; 

Frontend . load  " compose /control-exp . sis " ; 

Frontend . load  " compose/ control-ordmachine . sis"; 
Frontend . load  " compose/ susp-ordmachine . sis " ; 

HEADING  "DESTINATION-PASSING"; 

Frontend . reset  (); 

Frontend . read  "#clf  \ "minimi . clf\ ; 

Frontend . load  "dest . auto . sis" ; 

Frontend. load  "compose/par-destl . sis" ; 

Frontend . load  " compose/par-dest2 . sis " ; 

Frontend. load  "compose/concur-destl . sis" ; 

Frontend . load  " compose /concur -dest 2 . sis " ; 

Frontend . read  "#clf  stop."; 
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